Uber Uses Software to Remotely Log Out to Preserve Customer Privacy Data

With 78 or more international offices, you might have to consider some possible opposition with government authorities. In 2015, Uber faced a series of investigations in China and various other countries and were looking to secure their information while being investigated. During these police raids, employees knew the drill: immediately log-off and make it nearly impossible for the police to access the information they had a warrant to retrieve, aka proceed with the “unexpected visitor protocol.”

For fear of sounding a little too suspicious, it’s important to know that Uber was trying to protect the privacy and security of their customers, drivers, and employees – especially abroad. After a lot of searching, Uber discovered a software titled, “Ripley,” which was said to be named after Sigourney Weaver’s character in the 1979 sci-fi movie, Alien. This special software is able to remotely disable, lock, or change the password on employees’ computers and smartphones in the event of a breach or police raid. As quoted in an Bloomberg.com article, “The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. ‘Nuke the entire site from orbit. It’s the only way to be sure.’”

According to Bloomberg, the software was used during a raid in Montreal in May 2015. The  idea behind this was for Uber’s team at the San Francisco headquarters to be able to shut down a device if necessary. At this point in time, the Quebec tax authority arrived at the office unannounced with a warrant. Uber’s on-site managers followed the protocol and alerted company headquarters about what was happening. Fortunately, with the use of Ripley, they were able to not reveal anything to the investigators by logging off from all the devices in the Montreal office immediately.

The employees are trained to alert and follow some simple procedures when someone arrives unannounced at its foreign office to protect their data. If the investigators begin to investigate Uber’s machines, they have a list of Do’s and Don’ts that the employees should follow. Do’s include cooperating with the authorities and disclosing requested documents. Don’ts say not volunteer any information, nor “delete, destroy, and hide any document or data.” It’s unclear though if they used this list when using the software Ripley. Although, it is clear that Uber has allowed authorities to leave the building with company laptops plenty of times before. It all depends on the legal privilege of the situation.

Uber said “Like every company with offices around the world, we have security procedures in place to protect corporate and customer data,” an Uber spokeswoman said. “When it comes to government investigations, it’s our policy to cooperate with all valid searches and requests for data.”

Later, Uber started using off-the-shelf software called Prey and another named uLocker. Uber said that these softwares are able to protect the privacy of the drivers, Uber employees, and the passengers. Last March, the New York Times revealed that the company used secretive software called Greyball in some cities where Uber wasn’t yet allowed to operate. The software let the company target certain people, like the police, and showed them a mock-up version of the app that showed no cars available to hide the fact that they were indeed in operation.

According to the article, Uber is now under investigation by the US Department of Justice for its use of Greyball and is facing at least four other inquiries by the US government. As for the software Ripley, uLocker, and Prey being used by the Uber they have mentioned that there is nothing secretive about it. It’s basically the same software someone would use to track down their lost or stolen smartphones. However, an Uber Spokeswoman has mentioned that these softwares are even good for internal use. For instance, if an employee loses their laptop, we can just log them out of the Uber’s System to prevent the information from leaking and having someone else access private user data.

US Government Falls Victim to Information Security Breaches, Obama Signs Cybersecurity National Action Plan

Security-Companies-and-Government-Intelligence-476391-2

Cybercrime is on the rise and the government is ill-prepared to protect itself from attacks. If you aren’t convinced, here’s what’s new in government cybercrime just this past week:

Using old-fashioned social engineering, hackers gained access to computers at the Department of Justice and exposed the contact information of nearly 10,000 Department of Homeland Security employees. Those affected were special agents, intelligence analysts, technicians, language specialists and more.

The same group later released information on 22,000 FBI employees including names and job titles, phone numbers, states of residence, and email addresses.

Another group of cyber attackers fooled the IRS’s system into generating more than 100,000 tax return pin codes. These codes could have been used to file fake taxes under stolen social security numbers, had the breach not been discovered.

As the government gathers more and more information on everyday citizens and pushes to gain backdoor access from technology companies, these incidences are a huge cause for concern.

Earlier this week, Obama issued an executive order in an attempt to improve national cybersecurity. The proposal includes a new position: “Chief Information Security Officer” (CISO), a federal privacy council, a $3.1 billion budget to replace outdated systems, and efforts to educate the public on how to protect their personal information. There are also plans to review where the government can cut down on the use of social security numbers as identifiers for citizens. The plan outlines a proposed a $19 billion federal cybersecurity budget for 2017. Shocked by the budget, many are debating whether the proposal is worth the cost.

However, we would argue the executive action is long overdue, and the proposed plan might even be too little too late. Over nine months ago the Office of Personnel Management was hacked for the second time last year. The breach makes this last week’s incidences look like child’s play, affecting 22.1 million people- that’s almost 7 percent of the U.S. population, and revealing social security numbers, financial history, and even the contact information on friends and relatives of intelligence and military personnel who had applied for security clearance. Where was the government’s action plan then?

World’s Biggest Data Breaches Hacks Information is Beautiful
Some perspective on the impact of the breach of the US Office of Personnel Management (via informationisbeautiful.net)

While the proposed cybersecurity plan isn’t perfect, it’s a step in the right direction. More emphasis needs to be placed on education. Cybercrime awareness has improved, yet most individuals aren’t sure what actions they must take to protect their information.

People, not whole government agencies, are at the front lines when dealing with information security threats, and human error is a factor in over ninety percent of cybercrime incidences. Government employees as well as the public should be taught how to recognize threats and take the proper course of action as they arise. Sufficient funds for training and education on social engineering will be critical for prevention.  Information security is everyone’s responsibility, and the stewardship of sensitive information is not to be taken lightly.

For cybersecurity news and strategies you can use to protect yourself today, follow us on Facebook and subscribe to our Cybersecurity Newsletter.

Cybersecurity Trends for 2016

Today we can do just about everything with the help of the internet- view and control bank accounts, peruse and shop from stores around the world, connect with new people or video chat with distant friends and family, even control smart objects like kitchen appliances from afar. The same effect can be observed in business, with more and more day-to-day operations becoming automated or conducted online.

It’s no surprise that privacy and online security is going to be a prolific topic of concern in 2016 and beyond. With all kinds of sensitive information being transferred between different parties, hackers have more opportunity than ever to try and steal information to either sell on the dark web or use for their own financial gain.

There are many precautions consumers and businesses should take to stay in control of their confidential information and protect business assets. For users, get started with our comprehensive Guide to Cyber Security and our Guide to Email Security.

For a general idea of cybersecurity trends, check out our infographic:

 

Cybersecurity 2016

In the coming weeks, we will continue our Cybersecurity series to help inform users of how to protect their information. Stay tuned for more on common social engineering tactics, how to protect your inbox through safe email practices, bolstering information security on mobile devices, and how to control what is shared on social media.

Interested in protection for your business? Visit our website to learn more about our cybersecurity services and contact Inverselogic to speak with an expert.

Consumer Security: Malware Ads on Forbes

The annual Forbes 30 Under 30 list highlights a select few in various industries from music to healthcare- these individuals are up-and-coming influentials under the age of 30. Naturally, the 30 Under 30 franchise receives much attention and its pages garner hundreds of thousands of online views.

Many consumers are just becoming aware of how vulnerable their privacy is online, progressively more so with coverage of recent breaches at companies and even government organizations like Apple, the IRS, and Ashley Madison. It’s natural that this year’s 30 Under 30 list include a few names in security. The article mentions:

Ryan Ozonian, 27, created encrypted messaging app CyberDust that he says is safer than SnapChat. Javier Agüera Reneses, 23, created the encrypted smartphone BlackPhone (in partnership with security firm Silent Circle) and now serves as Silent Circle’s chief scientist. Reyad Allie, 26, is Uber’s Global Intelligence Analyst and keeps the $50 billion car service’s driver and user data safe.

 

This nod to advancement in data security only makes it more surprising that Forbes served malware to visitors who wished to view the article and disabled their Adblocker software.

 

Producing quality content accrues a cost, and like other publishers, Forbes pays for this through serving ads or a subscription model. Those who wish to view content without a subscription are asked to disable their Adblocker software for an “ad-light” experience. Forbes claimed this strategy helps monetize millions of impressions that would have otherwise been blocked.

The choice to disable the software is in the hands of consumers, and Forbes’ strategy seemed like a bona fide solution meant to help generate revenue. Forbes has also disabled the poisoned ads since becoming aware of the problem. However, there is a glaring problem with the system when a host cannot monitor exactly what is being served to its visitors. Even Adblocker does not protect users from all malware.

Forbes (and lesser known sites) sometimes have little control over (or knowledge of) what ads are being served to visitors. Until this is resolved, the responsibility for keeping information safe online ultimately falls on the consumer. Stay tuned for more in the future on how you can protect your data.

Social Engineering- The Underestimated Threat to Information Security

When you hear about information security, you might think of viruses or hackers attacking from far far away. While these are legitimate threats, one of the most common causes for security breaches is the victim or their associates simply telling an attacker what they want to know. Even with the most complex security systems, the human social factor can lead to vulnerability.

So how are attackers getting away with this? Rather than using technical knowledge to break into a system, they interact with victims to obtain what they need to commit fraud, steal information, and gain system access.

wolf

It is human nature to trust those who act with confidence, and attackers use social engineering to exploit this tendency. Even large corporations are vulnerable despite security protocol, as proven by recent white hat contests. Here are some examples of social engineering:

Pretexting

Lying about a fake situation, and setting it up so that the victim thinks they must give up information is known as pretexting (it is also illegal after a law was passed in 1999). Modern attackers have even been known to pose at IT support, calling departments and claiming to be returning a service call, and then asking for users’ login credentials to penetrate systems.

Baiting

Investigative journalist, Adam Penenberg, recently challenged modern hackers to obtain information about him. In one attempt, a “spy” was sent to his wife’s yoga studio, posing as a student, and intentionally left a USB drive loaded with malware in hopes that someone would plug it into a computer to find out who it belonged to. This tactic exploits curiosity, using physical media as bait. Malware launched on a computer can collect data like passwords and credit card information and send it to an outsider without the user ever knowing it is there.

Tailgating

People have a habit of assuming that nothing is awry if someone seems to “fit in.” To physically breach security, intruders have been known to tailgate, or follow someone closely enough to slip by and gain access to areas off limits. By acting confident in their actions, sometimes even pretending to swipe an access card, they are able to fool those around them without drawing attention.

Social engineering uses the same tactics long practiced by con artists. Despite the con artist’s many years of existence we haven’t learned how to identify or distrust them. The best way to avoid assisting an attacker is by implementing security protocols and always following security procedures. Always question anyone or anything unfamiliar, and if you feel like you may be inconveniencing someone by refusing to give them information, it might be best to explain that it’s always better to be safe than sorry.