What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2018-06-20 00:00:00 | Why Ford Is Buying Detroit\'s Derelict Central Depot (lien direct) | It's a savvy PR move, but it also sends a big message. The carmaker wants to show it can compete with Uber and Waymo and all the Silicon Valley tech giants. | Uber | ||
|
2018-06-15 11:00:00 | Four Reasons We Don\'t Have Flying Cars-Yet (lien direct) | The technological hurdles facing the development of aircraft for urban mobility systems like UberAIR are massive, but not insurmountable. | Uber | ||
 |
2018-05-25 14:55:03 | NTSB on Uber (Preliminary) (lien direct) | The NTSB has released “Preliminary Report Highway HWY18MH010,” on the Uber self-driving car which struck and killed a woman. I haven’t had a chance to read the report carefully. Brad Templeton has excellent analysis of the report at “NTSB Report implies serious fault for Uber in fatality” (and Brad’s writings overall on the subject have … Continue reading "NTSB on Uber (Preliminary)" | Uber | ||
|
2018-05-24 15:03:00 | Threat Model Thursday: Google on Kubernetes (lien direct) | There’s a recent post on the Google Cloud Platform Blog, “Exploring container security: Isolation at different layers of the Kubernetes stack” that’s the subject of our next Threat Modeling Thursday post. As always, our goal is to look and see what we can learn, not to say ‘this is bad.’ There’s more than one way … Continue reading "Threat Model Thursday: Google on Kubernetes" | Uber | ||
 |
2018-05-17 03:29:00 | CVE-2018-0268 (lien direct) | A vulnerability in the container management subsystem of Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and gain elevated privileges. This vulnerability is due to an insecure default configuration of the Kubernetes container management subsystem within DNA Center. An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers. A successful exploit could result in a complete compromise of affected containers. This vulnerability affects Cisco DNA Center Software Releases 1.1.3 and prior. Cisco Bug IDs: CSCvi47253. | Uber | ||
|
2018-05-11 23:21:04 | Uber To Resume Tests With Self-Driving Cars, Just A Few Months After Fatal Crash (lien direct) | The ISBuzz Post: This Post Uber To Resume Tests With Self-Driving Cars, Just A Few Months After Fatal Crash | Uber | ||
 |
2018-05-09 08:45:01 | (Déjà vu) ⭐ #LeBrief : Android P, nouvelle fusée Falcon 9, salve de mises à jour Windows et UberAir (lien direct) | C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informations qu'il ne faut pas manquer pour bien commencer la journée. Il est diffusé en accès libre.Lire la suite | Uber | ||
 |
2018-05-03 10:09:02 | Courvoisier, un pirate et sa petite amie arrêtés, 500 000€ saisis (lien direct) | Le pirate informatique Courvoisier et sa petite amie arrêtés après avoir attaqué Uber et plusieurs bookmakers britanniques. Plus de 500 000 euros en Bitcoin saisis. Le pirate informatique Courvoisier, Grant West, dont le logo de pirate était l’ombre de Napoléon, était malveillant connu dans le... Cet article Courvoisier, un pirate et sa petite amie arrêtés, 500 000€ saisis est apparu en premier sur ZATAZ. | Uber | ||
 |
2018-05-02 19:26:04 | When Your Employees Post Passwords Online (lien direct) | Storing passwords in plaintext online is never a good idea, but it's remarkable how many companies have employees who are doing just that using online collaboration tools like Trello.com. Last week, KrebsOnSecurity notified a host of companies that employees were using Trello to share passwords for sensitive internal resources. Among those put at risk by such activity included an insurance firm, a state government agency and ride-hailing service Uber.com. | Uber | ||
 |
2018-04-30 06:33:01 | Uber Updates Bug Bounty Program (lien direct) | 
|
Uber | ||
 |
2018-04-27 17:16:02 | Uber Tightens Bug Bounty Extortion Policies (lien direct) | Uber is tightening policies around its bug bounty program after a 2016 data breach exposed deep flaws in its policies around handling extortion. | Uber | ★★★★★ | |
 |
2018-04-17 11:55:03 | Youtuber hacked during livestream (lien direct) | Another day, another heist: Ian Balina, a cryptocurrency YouTuber known for his (sponsored) ICO reviews, was apparently hacked out of $2 million during a livestream session. View Full Story ORIGINAL SOURCE: The Next Web | Uber | ||
|
2018-04-13 13:09:00 | 25 Million U.S. Individuals Impacted by 2016 Uber Hack (lien direct) | The 2016 data breach that Uber made public in November 2017 impacted over 25 million riders and drivers in the United States, the Federal Trade Commission (FTC) reveals. | Uber | ||
 |
2018-04-13 07:41:01 | Uber agrees to new FTC settlement over 2016 data breach (lien direct) | Uber agrees to a new settlement with the Federal Trade Commission over the massive 2016 data breach, the authorities could assign civil penalties against the company if it will fail to share incident data with FTC. Uber agrees to a new settlement with the Federal Trade Commission over the massive 2016 data breach. “Uber Technologies, […] | Uber | ||
 |
2018-04-12 13:20:00 | Uber Agrees to New FTC Settlement Over 2016 Breach Disclosure (lien direct) | Uber has agreed to an updated settlement with the FTC after news of its massive 2016 data breach. | Uber | ||
|
2018-04-05 13:32:05 | (Déjà vu) Mitigating Digital Risk from the Android PC in Your Pocket (lien direct) | >Security Teams Must Prioritize Risk Mitigation Against Android Malware
Few of us could have imagined that a device that allows us to talk to anyone from anywhere at any time would morph, in just a few years, into many users' computing device of choice. The latest numbers from StatCounter reveal that mobile devices are outpacing desktops and are the preferred method for accessing the Internet. The most popular operating system worldwide? Android.
Threat actors watch these trends too. They're opportunistic and will focus their efforts where they believe their success rate will be the highest. So naturally, many are targeting Android devices and taking advantage of malware to launch attacks.
As an open-source tool, Android provides the benefits of collaborative applications (apps) and innovation; however, its accessibility inherently exposes it to exploitation by malicious actors. In the past year, while some users fell victim to targeted social engineering campaigns that infect their devices, most malware was embedded in malicious apps users inadvertently downloaded from official and unofficial sources. With the greatest number of users, Android's official app store Google Play has been the largest single source of infection. However, most of the sources of infection were other third-party stores.
 Users are duped by apps that pose as legitimate resources or services, or that are advertised fraudulently by displaying branding associated with credible organizations. Apps have been found that impersonate Uber, any number of financial institutions, gaming apps and perhaps most galling, security apps. Mobile malware is generally delivered and deployed via a multi-step process requiring some user interaction. This presents threat actors with many opportunities to infiltrate a device. For example, once installed, many malicious apps request users to approve unnecessary privileges, such as administration access, to execute processes. Overlays (superimposing phishing screens on a legitimate app) are also used to prompt users to provide sensitive information, such as credentials or financial data.
So, what's the ultimate endgame for cyber criminals? The most prevalent objective is espionage – gathering information through profiling device data or recording phone calls and messages. Mobile banking malware, such as Marcher and BankBot, uses sophisticated techniques to harvest user banking data, including overlays specific to target banks, and intercepts SMS messages to obtain multi-factor authentication codes. Recently, mobile devices have also been targeted for cryptocurrency mining. While less powerful than desktops and servers used for this purpose, more Android devices exist, and they are often less protected and, thus, more easily accessible. You can expect t |
Uber | ||
 |
2018-03-29 16:00:00 | The data breach epidemic: no info is safe (lien direct) |
By now it's obvious that data security technology hasn't kept pace with the needs of consumers. In 2017 alone, we learned about massive data breaches from major organizations like Equifax, Uber, and Verizon. In other words: We're in the midst of a data breach epidemic.
Categories:
101
Infographics
Tags: data breachdata breachesdata breaches of 2017Equifaxprivacy
(Read more...)
|
Equifax Uber | ||
|
2018-03-28 15:31:02 | Risky Business: The Fifth Element (lien direct) | Last month, I talked about the elegant beauty in offloading parts of your risk portfolio in four distinct ways. The logic is to streamline the company's mitigation efforts and allow you to focus more time and investment where it matters most-on the unique risks inherent to the business. But there is a fifth element, and it is going to be in your future. While security-as-a-service for functions like WAF and DDoS protection are well-established, they are just the beginning of a new industry that is emerging around consumption-based security models. To a certain extent, security in the future is going to be Uberized, and for some situations, you may be able to get rid of your car entirely. No insurance. No maintenance. No hassles with parking. And you won't even have to wash it or vacuum crumbs out of the seat cracks. That is to say, you won't hire a company just for DDoS and WAF. You'll hire a company for IDaaS, IPS, encryption/decryption, SSL orchestration, governance, risk and compliance (GRC). And over time, you'll dial in your use of these services. Spin them up when they're needed most. Ratchet them back when they're not in demand. Pay only for what you use. This is a strategic way to contain costs as you may only fully use your GRC service when it's time for an audit, enabling the company to increase its capacity without having a consulting service on site. All of this will dramatically change how CISOs function and how their teams are structured. Instead of hiring dozens of people to build and maintain multiple systems, CISOs will shift to focus on the data that powers the business and how it flows through and interacts with these outsourced relationships. And yes, I am going so far as to say this shift is inevitable, because it's being driven by some pretty clear economic pressures: Talent scarcity It's well-known that there are a lot of open job reqs in cybersecurity. I mean a lot-more than a million today. And according to Center for Cyber Safety and Education's 2017 Global Information Security Workforce Study, there may be as many as 1.8 million open jobs in the field by 2022. In this market, finding the right person can take months. You either have to poach them from another company or develop them yourself. Development means trial by fire. I don't know about you, but I don't want trial by fire. And if you do steal a great hire from another company, the cost-benefit analysis is such that you're basically being driven to a vendor anyway, simply because the salary pressure makes it more cost-effective. There are also specific areas of | Uber | ||
 |
2018-03-26 16:08:00 | Podcast Beta Deaths: are we driving too fast towards Autonomous Vehicles? (lien direct) | In this week’s Security Ledger Podcast (Episode #89) we talk with Beau Woods of The Atlantic Council and the advocacy group I Am The Cavalry about the death of 49-year-old Elaine Herzberg, who was struck and killed by an autonomous vehicle operated by Uber. Also: following Facebook’s privacy meltdown with Cambridge Analytica,...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/535224376/0/thesecurityledger -->»
|
Uber | ||
 |
2018-03-23 13:00:00 | Things I Hearted this Week 23rd March 2018 (lien direct) |
This week has been dominated by the Cambridge Analytica – Facebook debacle. So, let’s just skip all of that and jump right into the security news that you may have missed.
Stealing IP
We often hear of intellectual property being stolen by competitors. However, it’s not too common to hear of IP being stolen from an IT Security vendor.
Malwarebytes suspected a company called CyberByte was using its IP to augment its AV engine. So, laid a subtle honey-trap to validate its theory.
What I like about this story is how honey words / tokens / pots can be used in a relative simple and low-tech manner to catch someone with their hand in the virtual cookie-jar.
CyberByte steals Malwarebytes’ intellectual property | Malwarebytes
Uber Self-Driving Car Strikes and Kills Arizona Woman
An Uber self-driving car has struck and killed a woman pedestrian in Tempe, Arizona, the company revealed.
Our hearts go out to the victim’s family. We’re fully cooperating with @TempePolice and local authorities as they investigate this incident.
— Uber Comms (@Uber_Comms) March 19, 2018
Uber Self-Driving Car Strikes and Kills Arizona Woman | Bleeping Computer
Information Security Misconceptions
I thought I’d slip a self-promotional link in here for an article I wrote for CSO Online.
Channelling my inner Billy Bragg, isn't it fair to say that nobody knows nothing anymore? I'm not just talking about the press -- although sloppy security reporting is far too common, and unfailingly gets my goat. What about people in the inside of the industry?
Information Security Misconceptions | CSO Online
AWS S3 leaky bucket of the week
This week's misconfigured AWS S3 bucket award goes to Walmart jewellery partner MBM for exposing 1.3m customers.
Open AWS S3 bucket managed by Walmart jewelry partner exposes info on 1.3M customers | SC Magazine
DNS Poisoning and how to prevent it
Much of what we know now about DNS, address protocol, and packet priority is being redefined with the recent 'Net Neutrality' legislation. Instead of becoming a party to the hoopla that is partisan politics surrounding THAT issue, let me assure you there are many different mitigation strategies for not only securing your own network against DNS poisoning, but also working towards a harmonious kum-by-ah solution that in the en |
Uber | ||
 |
2018-03-22 15:10:01 | CoinMiner Campaigns Move to the Cloud via Docker, Kubernetes (lien direct) | After becoming a scourge inside browsers, on desktops, and on servers, cryptocurrency-mining malware is now invading the cloud, and it appears to be quite successful. [...] | Uber | ||
 |
2018-03-22 00:36:05 | (Déjà vu) Smashing Security #070: Facebook and Cambridge Diabolica (lien direct) |  It's not fair to describe what happened at Facebook as a data breach - it's much worse than that. An autonomous Uber vehicle kills a pedestrian. And sextortion continues to be a serious problem.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, who are joined this week by researcher Scott Helme.
|
Uber | ||
|
2018-03-21 18:20:04 | Growing Mistrust Threatens Facebook After Data Mining Scandal (lien direct) | As Facebook reels from the scandal over hijacked personal data, a movement to quit the social network gathered momentum Wednesday, portending threats to one of the most powerful internet firms. In a sign of the mood, one of those calling it quits was a high-profile co-founder of the WhatsApp messaging service acquired by Facebook in 2014 for $19 billion. "It is time. #deletefacebook," Brian Acton said in a tweet, using the hashtag protesting the handling of the crisis by the world's biggest social network. The WhatsApp co-founder, who now works at the rival messaging application Signal, posted the comment amid a growing uproar over revelations that Facebook data was harvested by a British political consulting firm linked to Donald Trump's presidential campaign. "Delete and forget. It's time to care about privacy," he said. The huge social network also faces investigations on both sides of the Atlantic over its data practices, and a handful of lawsuits which could turn into class actions that may prove a costly distraction for Facebook. It remains to be seen whether the uproar would lead to any significant departures, but the topic was active on social media, including on Facebook itself. Donella Cohen, a Weather Channel product manager, posted on her Facebook page that she would be off the network by midnight. "The latest revelations are showing just how corrupt and detrimental to society this particular platform is," she wrote. "I hope that a new social network emerges. One that isn't so greedy as to corrupt the political process in the name of the almighty dollar." - Fabric of internet - Yet analysts noted Facebook is unlikely to fade quickly because of how it is woven into the fabric of the internet, with "like" buttons on websites, comments sections for news articles and an ad network that delivers messages to those who are not Facebook members. The #deleteFacebook movement "is a social media feedback loop from the public -- we saw the same thing with #deleteUber," said Jennifer Grygiel, a communications professor at Syracuse University. "Sure, some people will delete Facebook, but to truly delete Facebook would mean that users would need to delete Facebook, Instagram, WhatsApp, and Messenger. This is not realistic for most people given how social media has been integrated into everyday life." Sandra Proske, head of communications for the Finla | Guideline | Uber | |
|
2018-03-20 22:47:05 | Autonomous vehicles could save more lives than they take. That might not matter. (lien direct) | Autonomous driving technology has the potential to save many more lives than it takes. But that may not matter if the public becomes convinced that autonomous vehicles are a danger to society. Will the death of a pedestrian in Tempe, Arizona derail the self-driving car initiatives of firms like Uber, General Motors and Tesla? The answer greatly...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/533862288/0/thesecurityledger -->» | Uber Tesla | ||
|
2018-03-20 12:20:03 | Uber Self-Driving Car struck and killed a woman in Tempe, Arizona (lien direct) | An Uber self-driving car has struck and killed a woman pedestrian in Tempe, Arizona. The incident raises questions about the safety and security of this kind of vehicles. This is a sad page of the book of technology evolution, an Uber self-driving car has struck and killed a woman pedestrian in Tempe, Arizona. The news […] | Uber | ||
|
2018-03-20 07:03:01 | Coverity Scan Hacked, Abused for Cryptocurrency Mining (lien direct) | Coverity Scan, a free service used by tens of thousands of developers to find and fix bugs in their open source projects, was suspended in February after hackers breached some of its servers and abused them for cryptocurrency mining.
Synopsys, which acquired Coverity in 2014, started notifying Coverity Scan users about the breach on Friday. The company said malicious actors gained access to Coverity Scan systems sometime in February.
“We suspect that the access was to utilize our computing power for cryptocurrency mining,” Synopsys told users. “We have not found evidence that database files or artifacts uploaded by the open source community users of the Coverity Scan service were accessed. We retained a well-known computer forensics company to assist us in our investigation.”
Synopsys says the service is now back online and it believes the point of access leveraged by the attackers has been closed. In order to regain access to Coverity Scan, users will need to reset their passwords.
“Please note that the servers in question were not connected to any other Synopsys computer networks. This should have no impact on customers of our commercial products, and this event did not put any Synopsys corporate data or intellectual property at risk,” users were told.
Cybercriminals have become increasingly interested in making a profit by hacking PCs and servers and abusing them to mine cryptocurrencies. Cryptocurrency mining malware can target a wide range of devices, including industrial systems.
One recent high-profile victim was the carmaker Tesla, whose Kubernetes pods were compromised and used for cryptocurrency mining. According to RedLock, which discovered the breach, hackers gained access to Tesla's Kubernetes console due to the lack of password protection.
Related: Avoid Becoming a Crypto-Mining Bot - Where to Look for Mining Malware and How to Respond
Related: Linux Malware Targets Raspberry Pi for Cryptocurrency Mining
|
Uber Tesla | ||
|
2018-03-19 17:00:05 | Uber Self-Driving Car Strikes and Kills Arizona Woman (lien direct) | An Uber self-driving car has struck and killed a woman pedestrian in Tempe, Arizona, the company has revealed today. [...] | Uber | ||
|
2018-03-19 13:00:00 | DNS Poisoning and How To Prevent It (lien direct) |
DNS poisoning. Simply the name conjures up the kind of thoughts that keep network admins up at night. What if my RNDC key gets leaked? Could there be a rogue DHCP server within my perimeter? Are the Lizard Squad planning an attack on for Christmas?
Much of what we know now about DNS, address protocol, and packet priority is being redefined with the recent 'Net Neutrality' legislation. Instead of becoming a party to the hoopla that is partisan politics surrounding THAT issue, let me assure you there are many different mitigation strategies for not only securing your own network against DNS poisoning, but also working towards a harmonious kum-by-ah solution that in the end, may end up resolving (pun intended) the DNS plight. So, let's silence the alerting system, and get down to what DNS poisoning is, why it's still around, and one of the best ways to solve it.
Why is DNS Poisoning Possible?
The first thing to understand about DNS 'poisoning' is that the purveyors of the Internet were very much aware of the problem. Essentially, DNS requests are "cached", or stored, into a database which can be queried in almost real-time to point names like 'hotmail.com' or 'google.com' to their appropriate IP addresses. Can you imagine having to remember a string of numbers instead of a fancy name to get to your desired WWW (or GOPHER - if that's your thing) resources? 321.652.77.133 or 266.844.11.66 or even 867.53.0.9 would be very hard to remember. [Note: I have obfuscated REAL IP addresses with very fake ones here. Always trying to stay one step ahead of the AI Armageddon. Real IP addresses end with the numerical value of '255' within each octet.]
No, remembering strings of numbers would be next to impossible. But thankfully, and all because of Al Gore (sarcasm) we have the DNS mechanism that gives us [relatively] easy names to remember how to get to our favorite resources.
DNS basically runs the Internet. Without it, only the most uber-geeky of computer scientists would be able to traverse it. Strings of numbers are just simply not how humans identify information. They help, but in reality, words and language are what separate us from our impending robotic overlords.
It's because of this, that as the Internet began to grow, the DNS (Domain Name System) was created. To help us get from one side of the world to the other, with little angst. However, due to the limitations of computing (especially storage and bandwidth) at the time, the early versions of DNS simply used a "distributed" text file for name resolution. Think "blockchain" for EVERY SINGLE HOST that existed on the 'Net back then. It was a nicer and friendlier place, and that system worked well. Until it didn't, and some nice folks at ARIN and ICANN came along and began the system we use today: DNS.
In its simplest explanation, DNS takes a name (e.g. yahoo.com) and looks at the locally configured 'Nameservers' for the "answer" to the question: 'What is the IP address of yahoo.com?'. Once an answer is found, it is passed back to the client requesting it, and the routing and magic of the TCP protocol kicks into gear, and the peasants rejoice. Except there are sometimes problems that arise that cause the peasants to NOT rejoice, and for network engineers to curse the vile notion of DNS. You see, since DNS arose during a time where "real-time" anything was not technically possible; to aid performance and allow for USABLE networks, DNS answers were logged into a locally stored 'cache' or database o |
Guideline | Yahoo Uber | |
|
2018-03-07 14:00:00 | An Interview with Graham Cluley (lien direct) |
I can’t remember what year I first met Graham Cluley. It may have been around 2006 at an awards event of some sort. We were both nominated in the same category; I believe it was for best security blogger. Graham was already well-established with many awards under his belt, whereas I was the jittery newbie, glad to have even been nominated for anything at all.
As you may have guessed, Graham won that night. Usually I’d force a smile, congratulate the winner with some hollow words and then drown my disappointment at the buffet.
But Graham is quite the quintessential gentleman. He sat and chatted with me throughout the evening, sharing tips and techniques and being overall very encouraging.
I’ve kept an eye on his career ever since and stayed in touch with him. I felt like it was worth getting some time once again and talking through what makes him tick.
 You’ve been in the industry for a long time, what’s the secret to staying so apparently happy and enthusiastic - not to mention retaining a full head of hair?
Life is so ghastly and absurd that it's impossible to take it too seriously. One of my failings is that I have a pitifully low boredom threshold, and find it a hard thing to disguise. This isn't a good thing, and has probably harmed my career immensely.
Recently my wife says she's spotted a couple of grey hairs on my head, so it does appear that I am mortal
My brothers don't seem to have lost their hair either, so it must be something in the Cluley gene pool. That or the fact I spent the first eighteen years of my life eating only cheese sandwiches.
There were your early days at Dr. Solomon’s, the Naked Security era, and now your life as an independent expert - with a more respected brand than most companies have. Was this a planned journey? How did your career end up here?
I don't really think I have a career. I find it hard to describe to people what exactly it is that I do for a job. When I meet up with my brothers, they're baffled as to how I'm able to make a living too.
So, there was no planned journey to get to this point. At college, I wrote and sold computer games, and they're what got the attention of Alan Solomon who offered me a job as a programmer in the early days of anti-virus.
I left Dr. Solomon's (which was a fun place to work) because they got acquired by McAfee (who didn't seem very fun). I joined Sophos because it was a small fun company, and then left when it became big and stopped being fun.
I make decisions like these fairly impulsively. Something will switch in my head and make me say, "I'd rather do something fun", and then that's it, my mind’s made up.
Life is a little different now as I have a wife and young son, and I need to remind myself that I have some responsibilities. If they weren't in my life, it's quite possible that I would be doing something other than computer security. But I do enjoy finding new things to do – and my latest obsession is the weekly podcast I co-host with Carole Theriault.
You’re a pretty public figure, but what little-known fact about your background usually surprises people?
While I was studying at university, my girlfriend joined a cult.
I tried for years to get her out, without success. That was pretty horrible, but I met a lot of good people and - hopefully - helped some other people l |
General Information | Uber | |
|
2018-03-06 15:03:00 | Pennsylvania sues Uber for data breach (lien direct) | Shapiro says the hackers stole names and license information from Uber drivers. Over 50 million riders’ and 7 million drivers’ data was affected. “We want to make sure that consumers are protected across Pennsylvania, and that’s why we’re holding Uber accountable”. View Full Story ORIGINAL SOURCE: Stock News Press | Uber | ||
 |
2018-03-06 13:36:02 | Uber Sued by Penn. Attorney General for Delayed Data Breach Notification (lien direct) | Pennsylvania Attorney General Josh Shapiro is suing Uber for failing to promptly disclose a data breach that exposed the personal information of thousands of drivers in the state. The incident dates back to November 2017, when it was reported that the company went to great lengths to cover up a massive breach in 2016 by […]… Read More | Uber | ||
 |
2018-02-23 11:07:02 | Uber Run – Un outil pour récupérer facilement vos factures Uber (lien direct) | Si vous devez récupérer régulièrement des factures de vos voyages en Uber, vous savez sans doute que c'est bien relou. Heureusement, il existe un petit outil sous licence libre baptisé Uber Run qui permet de télécharger en une seule fois sur votre disque dur, toutes vos factures Uber en PDF. … Suite | Uber | ||
|
2018-02-21 14:10:04 | Confidential data stolen from Tesla after staff failed to secure cloud server (lien direct) | According to researchers at cloud security firm RedLock Ltd., hackers infiltrated Tesla's Kubernetes software console after the company failed to secure it with a password. Within one of the Kubernetes pods, a group of software containers deployed on the same host, sat the access credentials to Telsa's Amazon Web Service Inc. account. The hackers then stole confidential data, ... | Uber Tesla | ||
|
2018-02-20 12:40:03 | Hacker Tools Used for Good as Exposed Amazon Cloud Storage Accounts Get Warnings (lien direct) | Responding to the all too familiar news of compromised Amazon cloud storage, security researchers have begun leaving “friendly warnings” on AWS S3 accounts with exposed data or incorrect permissions. The misconfiguration of access control on the AWS storage “buckets” has been responsible for numerous high profile data breaches, including Verizon, The Pentagon, Uber, and FedEx. […]… Read More | FedEx Uber | ||
|
2018-02-07 10:22:11 | Hackers From Florida, Canada Behind 2016 Uber Breach (lien direct) | 
|
Uber | ||
|
2018-02-06 19:23:00 | Uber\'s Response to 2016 Data Breach Was \'Legally Reprehensible,\' Lawmaker Says (lien direct) | In Senate hearing, Uber CISO admits company messed up in not quickly disclosing breach that exposed data on 57 million people. | Uber | ||
|
2018-02-03 13:37:58 | Comment faire une bonne vignette YouTube bien clickbait ? (lien direct) | Voilà une vidéo tuto qui fera plaisir à mes copains Youtubers (ou pas ;-)). Dans cette vidéo, vous apprendrez les secrets des plus grands pour faire une vignette YouTube bien clickbait histoire d'attirer le chaland, peu importe la qualité du contenu. Attention, c'est du lourd ! (et de l'humour surtout) | Uber | ||
|
2018-01-23 21:00:52 | Security Flaw Ignored By Uber That Renders “ (lien direct) | The ISBuzz Post: This Post Security Flaw Ignored By Uber That Renders “ | Uber | ||
 |
2018-01-23 05:37:52 | Cybersecurity Certification Courses – CISA, CISM, CISSP (lien direct) | The year 2017 saw some of the biggest cybersecurity incidents-from high profile data breaches in Equifax and Uber impacting millions of users to thousands of businesses and millions of customers being affected by the global ransomware threats like WannaCry and NotPetya.
The year ended, but it did not take away the airwaves of cybersecurity incidents, threats, data breaches, and hacks.
The
|
NotPetya Wannacry Equifax Uber | ||
 |
2018-01-21 14:26:00 | After ignoring for months, Uber fixes two-factor bypass bug after all (lien direct) | "There is no need for a novelty 2FA if it doesn't actually serve a purpose." | Uber | ||
|
2018-01-19 14:00:00 | Things I Hearted this Week – 19th Jan 2018 (lien direct) | Happy Friday wonderful people. It’s been a busy week in infosec with a flurry of activity, so let’s jump right in. The 100 Billion Dollar Infosec Question If someone gave you 100 billion dollars to improve information security, how would you spend it? No, seriously, please. Give it some thought. This question spurred Dan Klinedist to pen his thoughts in a thought-provoking post that will probably leave you with more questions than answers. The 100 Billion Dollar Infosec Question | Dan Klinedinst, Medium IT Security Spending to reach $96 billion in 2018 | Dark Reading Putting the bug in bounty I’m a big fan of bug bounties, I think that they have a lot of benefits. But, as with any emerging service, there will be issues. One of them is differentiating between Bug Bounty and Security Consulting or Testing. And that can cause some problems, which are very well articulated by John Carroll. BugBounty != Security Consulting | CTU Security Inside Uber’s $100,000 Payment to a Hacker, and the Fallout | NY Times Mirai Okiru botnet targets ARC-based IoT devices For those of you who don't know, ARC (Argonaut RISC Core) processors are the second most widely used processors in the world and can be found in all manner of unassuming connected devices, from car tech to storage, home and mobile devices. The new Mirai botnet, known as Mirai Okiru, is going after them with the aim knock them offline with distributed denial of service (DDoS) attacks. Mirai Okiru botnet targets for first time ever in the history ARC-based IoT devices | Security Affairs Mirai Okiru is a botnet that's going after ARC-based IoT gadgets | The Inquirer Mirai Okiru: New DDoS botnet targets ARC-based IoT devices | CSO Mental Models & Security: Thinking Like a Hacker Is it weird that I’m including one of my own articles from this week? Is that the equivalent of someone liking their own facebook posts? I’ve been reading up on mental models lately a lot and thought a lot could be applied to security, or as is often said, to think like a hacker. I listed seven of my favourite models in this Dark Reading contributed article. Mental Models & Security: Thinking Like a Hacker | Dark Reading LeakedSource Founder Arrested for Selling 3 Billion Stolen Credentials | Guideline | Uber | |
|
2018-01-05 14:00:00 | Things I Hearted this Week 5th Jan 2018 (lien direct) |
The opening of movies sets the tone for the rest of the film. Within the first few minutes you usually get an idea of the characters, whether it's a slow suspense, a drama, or action flick.
If the first few days of 2018 are any indication, the IT Security world has kicked off with a dizzying Michael Bay-esque opening action sequence with rapid cuts that would rival any Edgar Wright montage.
So let's jump head first right into it.
Meltdown
Step aside Heartbleed, and forget all about WannaCry, there's a new duo of attacks in town, complete with logos, websites, and tales of doom.
Meltdown Attack, the website.
Google Project Zero blog
NCSC’s advice
Replace CPU hardware – legit advice.
Linus Torvald was not happy, and issued a strongly-worded statement
Mozilla Confirms Web-Based Execution Vector for Meltdown and Spectre Attacks | Bleeping Computer
Facebook and India’s controversial National ID Database
Facebook has clarified that it’s not asking new users in India for their Aadhaar information while signing up for a new Facebook account.
Aadhaar is India’s biometric ID system that links the demographic information of more than a billion Indians with their fingerprints and iris scans, and stores it in a centralized government-owned database that both government agencies and private companies can access to authenticate people’s identities. The program has been slammed by critics for enabling surveillance and violating privacy.
Facebook said this was a “small test” that the company ran with a limited number of Indian users, and that its goal was to help new users understand how to sign up to Facebook with their real names.
It sounds an awful lot like the “wallet inspector” in the school playground that would also then keep my money safe for me.
Facebook Just Clarified That It Is Not Collecting Data From India's Controversial National ID Database |Buzzfeed
Rs 500, 10 minutes, and you have access to billion Aadhaar details | The Tribune India
Trackmageddon
Two researchers have disclosed problems with hundreds of vulnerable GPS services using open APIs and trivial passwords (123456), resulting in a multitude of privacy issues including direct tracking. Further, many of the vulnerable services have open directories exposing logged data.
For some, the vulnerabilities discovered and disclosed by Vangelis Stykas (@evstykas) and Michael Gruhn (@0x6d696368) aren't new. They were disclosed during Kiwicon in 2015 by Lachlan Temple, who demonstrated flaws in a popular car tracking immobilization device.
|
Wannacry Uber | ||
|
2018-01-04 17:34:05 | Uber Android app targeted by malware (lien direct) | >Symantec researchers have uncovered malware that harvests users passwords from the Uber’s Android App, giving hackers access to users accounts. View Full Story ORIGINAL SOURCE: MSN | Uber | ★★★ | |
|
2017-12-21 16:00:00 | The seven most colossal data breaches of 2017 (lien direct) |
This year saw a handful of spectacularly bad security fails that resulted in massive sets of compromised data. Here are the most colossal data breaches of 2017.
Categories:
Cybercrime
Hacking
Tags: data breachesdata breaches of 2017EdmodoEquifaxUberVerizon
(Read more...)
|
Equifax Uber | ||
 |
2017-12-19 21:59:49 | Bitcoin: In Crypto We Trust (lien direct) | Tim Wu, who coined "net neutrality", has written an op-ed on the New York Times called "The Bitcoin Boom: In Code We Trust". He is wrong is wrong about "code".The wrong "trust"Wu builds a big manifesto about how real-world institutions aren't can't be trusted. Certainly, this reflects the rhetoric from a vocal wing of Bitcoin fanatics, but it's not the Bitcoin manifesto.Instead, the word "trust" in the Bitcoin paper is much narrower, referring to how online merchants can't trust credit-cards (for example). When I bought school supplies for my niece when she studied in Canada, the online site wouldn't accept my U.S. credit card. They didn't trust my credit card. However, they trusted my Bitcoin, so I used that payment method instead, and succeeded in the purchase.Real-world currencies like dollars are tethered to the real-world, which means no single transaction can be trusted, because "they" (the credit-card company, the courts, etc.) may decide to reverse the transaction. The manifesto behind Bitcoin is that a transaction cannot be reversed -- and thus, can always be trusted.Deliberately confusing the micro-trust in a transaction and macro-trust in banks and governments is a sort of bait-and-switch.The wrong inspirationWu claims:"It was, after all, a carnival of human errors and misfeasance that inspired the invention of Bitcoin in 2009, namely, the financial crisis."Not true. Bitcoin did not appear fully formed out of the void, but was instead based upon a series of innovations that predate the financial crisis by a decade. Moreover, the financial crisis had little to do with "currency". The value of the dollar and other major currencies were essentially unscathed by the crisis. Certainly, enthusiasts looking backward like to cherry pick the financial crisis as yet one more reason why the offline world sucks, but it had little to do with Bitcoin.In crypto we trustIt's not in code that Bitcoin trusts, but in crypto. Satoshi makes that clear in one of his posts on the subject:A generation ago, multi-user time-sharing computer systems had a similar problem. Before strong encryption, users had to rely on password protection to secure their files, placing trust in the system administrator to keep their information private. Privacy could always be overridden by the admin based on his judgment call weighing the principle of privacy against other concerns, or at the behest of his superiors. Then strong encryption became available to the masses, and trust was no longer required. Data could be secured in a way that was physically impossible for others to access, no matter for what reason, no matter how good the excuse, no matter what.You don't possess Bitcoins. Instead, all the coins are on the public blockchain under your "address". What you possess is the secret, private key that matches the address. Transferring Bitcoin means using your private key to unlock your coins and transfer them to another. If you print out your private key on paper, and delete it from the computer, it can never be hacked.Trust is in this crypto operation. Trust is in your private crypto key.We don't trust the codeThe manifesto "in code we trust" has been proven wrong again and again. We don't trust computer code (software) in the cryptocurrency world.The most profound example is something known as the "DAO" on top of Ethereum, Bitcoin's major competitor. Ethereum allows "smart contracts" containing code. The quasi-religious manifesto of the DAO smart-contract is that the "code is the contract", that all the terms and conditions are specified within the smart-contract co | Uber | ||
 |
2017-12-18 05:06:22 | Comment Uber a pillé les secrets de ses concurrents (lien direct) | Espionnage, infiltration, hacking... la compagnie de VTC ne reculait devant rien pour voler des informations sur ses rivaux. On connaît enfin le détail de ces méthodes grâce au témoignage d'un ancien employé.  |
Uber | ||
|
2017-12-18 00:30:00 | Hacker "Courvoisier" Pleads Guilty to Attacks on Uber, Groupon, T Mobile, Others (lien direct) | A UK man living in a caravan park has pleaded guilty last week to cyber-attacks on 17 websites and selling stolen user information on the Dark Web. [...] | Guideline | Uber | |
|
2017-12-15 14:00:00 | Things I Hearted This Week 15th December 2017 (lien direct) |
Continuing the trend from last week, I’ll continue trying to put a positive spin on the week’s security news.
Why? I hear you ask. Well, I’ve been mulling over the whole optimist thing, and glass half full analogy and it does work wonders. Side note, a tweet about half full / empty glasses and infosec took on a life of its own a few days ago.
But I’m reminded of the ending monologue by Morgan Freeman in “The Shawshank Redemption”, in which he starts off by saying, “Get busy living or get busy dying.”
So the thought of the week is, “Get busy securing, or get busy insecuring.” Hmm doesn’t quite have the same ring to it. Will have to think of a better word – but you catch my drift. Let’s jump into this week’s interesting security bits
Mirai Mirai on the wall
I picture Brian Krebs as being a Liam Neeson type – he sees that his website is under attack by a never-before seen DDoS attack. He mutters to himself, “I don’t know who you are, but I will hunt you, I will find you, and I will blog about it until you get arrested, prosecuted, and thrown in jail.”
It so happens that this week the hackers behind the Mirai botnet and a series of DDoS attacks pled guilty.
The Hackers Behind Some of the Biggest DDoS Attacks in History Plead Guilty | Motherboard
Mirai IoT Botnet Co-Authors Plead Guilty | KrebsonSecurity
Botnet Creators Who Took Down the Internet Plead Guilty | Gizmondo
Bug Laundering Bounties
Apparently, HBO negotiated with hackers. Paying them $250,000 under the guise of a bug bounty as opposed to a ransom.
Maybe in time, it will be found that HBO acted above board, maybe it was a sting operation, maybe it was a misconstrued email.
The worrying fact is that any payment exchange system can be used to launder money. However, bug bounty providers don’t (as far as I can tell) have financial services obligations. Does the bug bounty industry need more regulation (shudder)?
Leaked email shows HBO negotiating with hackers | Calgary Herald
Remember the 'Game of Thrones' leak? An Iranian hacker was charged with stealing HBO scripts to raise bitcoin | USA Today
Uber used bug bounty program to launder blackmail payment to hacker | ars Technica
Inside a low budget consumer hardware espionage implant
I’m not much of a hardware expert – actually, I’m not much of a hardware novice either. But this writeup by Mich is awesome. I didn’t even know there were so many ways to sniff, intercept and basically mess around with stuff at such small scale. It’s extremely detailed and I’ve permanently bookmarked it for future reference.
|
Guideline Medical Cloud | Uber APT 38 APT 37 | |
|
2017-12-14 03:11:10 | U.S. Prosecutors Confirm Uber Target of Criminal Probe (lien direct) | A letter made public Wednesday in Waymo's civil suit against Uber over swiped self-driving car secrets confirmed the ride-share service is the target of a US criminal investigation. | Uber | ||
|
2017-12-12 21:00:09 | How Not To Uber Your Data Breach: A Guide For Handling A Cyber-Attack (lien direct) | The ISBuzz Post: This Post How Not To Uber Your Data Breach: A Guide For Handling A Cyber-Attack | Uber |
To see everything:
Our RSS (filtrered)
