Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber Discloses Database Breach, Targets GitHub With Subpoena

Posted by Soulskill on from the another-day-another-breach dept.

New submitter SwampApe tips news that Uber has revealed a database breach from 2014. The company says the database contained names and diver's license numbers of their drivers, about 50,000 of which were accessed by an unauthorized third party. As part of their investigation into who was behind the breach, Uber has filed a lawsuit which includes a subpoena request for GitHub. "Uber's security team knows the public IP address used by the database invader, and wants to link that number against the IP addresses and usernames of anyone who looked at the GitHub-hosted gist in question – ID 9556255 – which we note today no longer exists. It's possible the gist contained a leaked login key, or internal source code that contained a key that should not have been made public."

47 comments

  1. I'll bet an Uber developer leaked it by jtara · · Score: 5, Insightful

    Now, why would they be asking about a gitHub gist?

    I'll bet one of Uber's own developers leaked the key. Presumably, by accident.

    1. Re:I'll bet an Uber developer leaked it by bloodhawk · · Score: 1, Troll

      hackers constantly trawl github for morons that leave keys in their code. So many organizations have been caught out now, especially ones that host on amazon, that their is simply no excuse for this happening anymore.

    2. Re:I'll bet an Uber developer leaked it by FrozenGeek · · Score: 2

      I really do not understand why a company would post their proprietary code to Github.

      --
      linquendum tondere
    3. Re:I'll bet an Uber developer leaked it by Anonymous Coward · · Score: 0

      quite often it isn't even all that propriety, just sample code they have customised from others etc, then they forget to remove things like amazon keys or authentication keys to various services when they upload.

    4. Re:I'll bet an Uber developer leaked it by Anonymous Coward · · Score: 3, Insightful

      I really do not understand why a company would post their proprietary code to Github.

      Neither do I. They call it social coding. Sometimes it's agile social coding within the cloud.

      I call it a security risk because it's too easy for idiots to accidentally publish theyr keys, and the more I see GitHub going up and down like a toilet seat every time some idiot feels like doing a DDOS attack, the more I think we've spent years working on DVCSes only to re-create the single-point-of-failure that we had with centalized VCS.

    5. Re:I'll bet an Uber developer leaked it by rdnetto · · Score: 1

      Github provides (private) hosting for proprietary projects, for a price. My guess is they didn't realise the gist wasn't protected similarly.

      --
      Most human behaviour can be explained in terms of identity.
  2. Just a distraction from the real fail... by NimbleSquirrel · · Score: 5, Interesting

    Any hacker with any decent opsec would not be showing their actual IP address. The subpoena request is just smoke and mirrors to hide Uber's own security fail. Even if GitHub were to hand over the data, they would likely find nothing useful. Uber know that GitHub will not hand over that data without a fight. I am willing to bet that Uber are going to start claiming that the hack isn't their fault because GitHub won't hand over the data. If Uber already know the public IP of the hacker, why do they need the info from GitHub to proceed? Meanwhile the actual security fail of Uber making their database access info publicly accessible gets overlooked.

    1. Re:Just a distraction from the real fail... by hawguy · · Score: 5, Insightful

      Any hacker with any decent opsec would not be showing their actual IP address. The subpoena request is just smoke and mirrors to hide Uber's own security fail. Even if GitHub were to hand over the data, they would likely find nothing useful. Uber know that GitHub will not hand over that data without a fight. I am willing to bet that Uber are going to start claiming that the hack isn't their fault because GitHub won't hand over the data. If Uber already know the public IP of the hacker, why do they need the info from GitHub to proceed? Meanwhile the actual security fail of Uber making their database access info publicly accessible gets overlooked.

      Because they think it was a crime of opportunity, which sounds like a reasonable supposition -- the hacker stumbled across the key in Github, then either gave (or sold) the key to someone else to do the hack, or did the hack himself. Clearly he wouldn't have downloaded the data using his own IP address, but it's entirely possible that when he found the key on Github, he was using a traceable IP.

      By admitting that one of their developers leaked the key himself on Github, it seems a little late for them to claim that they have no responsibility for the breach.

    2. Re:Just a distraction from the real fail... by Anonymous Coward · · Score: 2, Insightful

      "If Uber already know the public IP of the hacker, why do they need the info from GitHub to proceed?"

      The answer in the summary: "to link that number against the IP addresses and usernames." Right now they just have an IP, but it's possible that the attacker was logged into their Github account, another piece of information that could help identify him.

      "Any hacker with any decent opsec would not be showing their actual IP address."

      There's tons of very skilled and usually-careful criminals in prison. Everyone makes mistakes sooner or later. Maybe the attacker did this time.

      "Meanwhile the actual security fail of Uber making their database access info publicly accessible gets overlooked."

      Yes, Uber messed up if they posted a key in a gist. If someone suffers harm from the data breach, they could sue Uber for that negligence. That doesn't change the fact that the attacker committed a crime and illegally accessed private information. Weak security and leaked access codes don't change the fact that unauthorized access is illegal. The principle is the same in cyberspace as in meatspace. Uber is doing nothing wrong or atypical in trying to identify the hacker.

    3. Re:Just a distraction from the real fail... by Anonymous Coward · · Score: 1

      What kind of fucking retard uploads secrets to github?
      What kind of fucking retard company employs retards like that?

    4. Re:Just a distraction from the real fail... by NimbleSquirrel · · Score: 4, Informative

      Because they think it was a crime of opportunity, which sounds like a reasonable supposition -- the hacker stumbled across the key in Github, then either gave (or sold) the key to someone else to do the hack, or did the hack himself. Clearly he wouldn't have downloaded the data using his own IP address, but it's entirely possible that when he found the key on Github, he was using a traceable IP.

      There could be hundreds of legitimate accesses of that file. If the hacker was indeed using a hidden IP address to access the database, but his real IP to download the gist, how are Uber going to determine that from all the other legitimate accesses? If the hacker gave away or sold that information, there is going to be no way for Uber to determine a link at all. This just seems like a fishing expedition to hide the real fail.

      By admitting that one of their developers leaked the key himself on Github, it seems a little late for them to claim that they have no responsibility for the breach.

      Ahh... but the thing is that Uber haven't admitted to anything like that. By serving a subpoena against GitHub, it is clear that is what has happened, but nowhere have I seen Uber actually admit this. If Uber were actually to admit this, it would likely open them up to lawsuits from their affected drivers.

    5. Re:Just a distraction from the real fail... by hawguy · · Score: 1

      Because they think it was a crime of opportunity, which sounds like a reasonable supposition -- the hacker stumbled across the key in Github, then either gave (or sold) the key to someone else to do the hack, or did the hack himself. Clearly he wouldn't have downloaded the data using his own IP address, but it's entirely possible that when he found the key on Github, he was using a traceable IP.

      There could be hundreds of legitimate accesses of that file. If the hacker was indeed using a hidden IP address to access the database, but his real IP to download the gist, how are Uber going to determine that from all the other legitimate accesses? If the hacker gave away or sold that information, there is going to be no way for Uber to determine a link at all. This just seems like a fishing expedition to hide the real fail.

      Or there could be 2 accesses of that file, depending on how long they left it up there. Right now, only Github knows how many people accessed it.

      By admitting that one of their developers leaked the key himself on Github, it seems a little late for them to claim that they have no responsibility for the breach.

      Ahh... but the thing is that Uber haven't admitted to anything like that. By serving a subpoena against GitHub, it is clear that is what has happened, but nowhere have I seen Uber actually admit this. If Uber were actually to admit this, it would likely open them up to lawsuits from their affected drivers.

      They provided the exact Gist URL that had the information, if the drivers want to sue, they can subpoena Github themselves.

    6. Re:Just a distraction from the real fail... by Anonymous Coward · · Score: 2, Insightful

      It is a very common occurrence. despite what many like to believe, the vast majority of developers are completely clueless when it comes to security and handling secrets.

    7. Re:Just a distraction from the real fail... by Anonymous Coward · · Score: 0, Funny

      And this right here is why open source is less secure. ;-)

    8. Re:Just a distraction from the real fail... by Anonymous Coward · · Score: 3, Interesting

      Lots of companies employ junior devs they can push around.

      I'd bet my life that Uber has no opsec procedure at all for sharing keys on their dev team.

      The dev was an idiot, sure, but s/he probably thought a secret gist was "good enough". And now this kid is gonna be the fall guy/girl for a failure of technical and managerial leadership.

    9. Re:Just a distraction from the real fail... by fred911 · · Score: 3, Informative

      "Or there could be 2 accesses of that file, depending on how long they left it up there"

      They're asking for 6 months of data. Here's the subpoena.

        http://regmedia.co.uk/2015/02/...

      --
      09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    10. Re:Just a distraction from the real fail... by Anonymous Coward · · Score: 4, Interesting

      There's tons of very skilled and usually-careful criminals in prison.

      The above is complete bullshit.

      The prisons house people who were sloppy, stupid, and lazy.

      The smart criminals are in political office and on boards of corporations.

    11. Re:Just a distraction from the real fail... by 140Mandak262Jamuna · · Score: 4, Informative

      There's tons of very skilled and usually-careful criminals in prison.

      The above is complete bullshit.

      The prisons house people who were sloppy, stupid, and lazy.

      The smart criminals are in political office and on boards of corporations.

      No. Medium level smart criminals become politicians. The real top level smart criminals become C?O of publicly traded corporations, usually banks, and mutual funds. The super smart criminals buy the politicians to provide safety net for the smart C?O criminals and they remain largely opaque to scrutiny.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    12. Re:Just a distraction from the real fail... by CaptainDork · · Score: 1

      Interestingly, there may be no parties of standing except Uber and the hackers. The drivers would have to show damages that have already occurred, and cannot recover for conjectured damages in the future by reason of breach of privacy.

      --
      It little behooves the best of us to comment on the rest of us.
    13. Re:Just a distraction from the real fail... by Anonymous Coward · · Score: 1

      What kind of fucking retard uploads secrets to github?

      I know, right? Git is so intuitive and easy to figure out that there's *no way* anybody should be doing that accidentally.

    14. Re:Just a distraction from the real fail... by Anonymous Coward · · Score: 2, Interesting

      Any hacker worth their weight surfs hidden all the time just for the very reason you mentioned. Hackers leech git around the clock looking for keys and chances are that's how it was found. Even if they narrow it down it's going to be damn near impossible to prove.

    15. Re:Just a distraction from the real fail... by retchdog · · Score: 1

      which means very little in itself.

      --
      "They were pure niggers." – Noam Chomsky
    16. Re:Just a distraction from the real fail... by retchdog · · Score: 2

      The prisons house people who were sloppy, stupid, and lazy.

      script kiddies often fall into those categories, yes.

      and prisons also house people who didn't quit while they were ahead.

      --
      "They were pure niggers." – Noam Chomsky
    17. Re: Just a distraction from the real fail... by Anonymous Coward · · Score: 1

      Because you can't hard code keys into publicly available code without letting people see those keys?
      Not much of a reason.
      Even with closed source the key can still leak.

    18. Re:Just a distraction from the real fail... by stephanruby · · Score: 1

      That doesn't change the fact that the attacker committed a crime and illegally accessed private information.

      If you provide an api with a key already included in the sample code.

      https://github.com/uber

      Using that sample code doesn't necessarily mean it was an attack.

    19. Re:Just a distraction from the real fail... by Anonymous Coward · · Score: 2, Informative

      The same kind that constantly commits vim swap, openoffice lock files and other junk files into svn. From my experience, is not that rare, and they aren't retarded, just careless or insufficiently trained

    20. Re:Just a distraction from the real fail... by ultranova · · Score: 2

      There could be hundreds of legitimate accesses of that file. If the hacker was indeed using a hidden IP address to access the database, but his real IP to download the gist, how are Uber going to determine that from all the other legitimate accesses?

      Why would they? They'll simply rise a lawsuit demanding damages against them all. Since that's a civil suit, the accused need to prove their innocence, which will take years and absurd amounts of money - or they can settle out of court with Uber for a couple thousand dollars.

      Nothing personal, just business.

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

    21. Re:Just a distraction from the real fail... by Anonymous Coward · · Score: 0

      The principle is the same in cyberspace as in meatspace.

      Uber rarely understands this.

      Uber is doing nothing wrong or atypical in trying to identify the hacker.

      "Uber is doing nothing wrong" -- wow, a first! Champagne for everyone!

    22. Re:Just a distraction from the real fail... by gnasher719 · · Score: 2

      Why would they? They'll simply rise a lawsuit demanding damages against them all. Since that's a civil suit, the accused need to prove their innocence, which will take years and absurd amounts of money - or they can settle out of court with Uber for a couple thousand dollars.

      Since they know or should know that most of the people accessing that site haven't done anything wrong, that could get them into deep trouble. And Uber has deep pockets filled with a billion dollars of investor's money, and some lawyer will take them on and make a mint.

    23. Re:Just a distraction from the real fail... by Anonymous Coward · · Score: 0

      There's tons of very skilled and usually-careful criminals in prison. Everyone makes mistakes sooner or later. Maybe the attacker did this time.

      As someone who worked in corrections previously, this comment shows a distinct lack of knowledge about inmates. Most people who are in prison show a distinct lack of one thing that would have kept them out of prison: common sense. Tell you what... Go volunteer in a jail or prison for about six months. Believe me, after dealing with some of the knuckleheads you'll talk to in there, you will change your opinion.

    24. Re:Just a distraction from the real fail... by jtara · · Score: 2

      gists have nothing to do with git.

      It's a GitHub proprietary feature. It's kinda like a pastebin, but it sticks around. You can publish gists from a repo, though.

      Developers use them to share little snippets that don't deserve a repo. They are often used for support cases, as a home for snippets used in a programming blog, etc. etc. etc. A developer might make a gist to show to an open-source author or to a commercial software vendor's support team, etc. Like, "here's what I did, what is wrong with this?" kinda thing.

  3. Maybe they are just dumb? by Anonymous Coward · · Score: 1

    Possibly the breach was related to this http://nathanmock.com/archives/how-i-accessed-employee-settings-on-ubers-app

    1. Re:Maybe they are just dumb? by jtara · · Score: 1

      I'd say yea, they certainly are dumb! Don't put an admin switch in a consumer app! Sure, they could have put in better checking to make sure it is an appropriate account accessing, but, still, it is better to just leave the code out of the app!

      There should be a separate driver app, possibly off the app store. The Enterprise Program is not appropriate, because Uber drivers are not Uber employees, so not technically eligible. But Apple now has a B2B program where this would fit. Even a separate App-Store driver app would be better, because at least it wouldn't (normally) be in the hands of normal users. (I don't know nuthin about Google Play Store. But drivers could just install the driver app from a download on Android, right? Besides, nobody expects security on Android...)

      Sure, an app-store driver app would be a target. Which is good. They'd have to be especially careful with that app to make sure that nobody can actually log-in with it without having a driver account. (But, really, best to keep it completely off the public App Store.)

      I'm currently working on an app for Karaoke singers to show the Songbook and request to sing. (Works with some popular Karaoke-hosting software.) I'll also have a kiosk version and another version for Karaoke hosts to remote-control the show. Even for this, I know better than to put all this into a single app! Because: Karaoke Murders. Hey, some of these people are serious. Yea, if some singer could take over the show, they would. I mean, they sometimes do this:

      Karaoke Killings in East Asia

      I have a workflow for making variant apps. Don't just pour all the code into a single app!

  4. I'm an expert! Trust me! by nikhilhs · · Score: 5, Funny

    After watching years of Law and Order, I feel I'm qualified to make a judgement. ;)

    This sounds like a fishing expedition. (DUN DUN)

  5. Uber's losing a password is Github's problem how? by Anonymous Coward · · Score: 0

    Sorry, but tough.

  6. Slashdot layout by Anonymous Coward · · Score: 2, Interesting

    Just got back from a two week vacation without internet so maybe I missed the memo... but what the FUCK happened to the slashdot layout? It's all jacked up and completely unusable... Is this the new beta bullshit?

    1. Re: Slashdot layout by Anonymous Coward · · Score: 0, Funny

      Nope. It's climate change.

  7. DL# by dhenson02 · · Score: 1

    Sorry but what the fuck are you planning to do with 50,000 driver's license numbers?

    1. Re:DL# by tlhIngan · · Score: 1

      Sorry but what the fuck are you planning to do with 50,000 driver's license numbers?

      Well, two people are very interested in that, one can find out, and the fourth can exert some leverage and get at information.

      The first two are your DMV (or other agency) and insurance company. The DMV is interested if there's any commercial operations going on by unlicensed drivers. Penalties for such generally are minor, usually just suspension of the commercial activity to suspension of the license and a small fine.

      The second would be insurance companies, who now have a list of people who operated in a commercial capacity. Knowing how they like to weasel out of any insurance payout, they can simply use this to note you did commercial activities on a personal insurance policy and use that as justification to cancel your policy. Of course, they won't do this until you get into an accident, at which point you do get a payout ... of all the premiums you paid from when they cancelled to the accident. Yes, it's a very nasty surprise waiting for people who expect insurance to cover them only to find out they're now stuck with a massive personal liability bill.

      Third group would be tax agencies who are very interested to know about your income-generating activities and did you report it on your income tax form. This takes a bit of work since they generally don't have access to the driver license database to look up people. Maybe you find out when you try to renew that someone wants to have a nice talk first.

      Fourth, well, taxi companies who exert a little pressure on someone to take the driver license number and put them to names and addresses... and I'll leave that one at that.

      The link between person and drivers license isn't only held by the DMV or similar agencies - if you've ever used a driver's license as an ID card, well...

    2. Re:DL# by stoploss · · Score: 1

      The link between person and drivers license isn't only held by the DMV or similar agencies - if you've ever used a driver's license as an ID card, well...

      Which is why god invented passport cards. I never use my driver's license as an ID for precisely this reason.

  8. DIVER's license? by Anonymous Coward · · Score: 0

    They're doing submarine transport now?

  9. Uber planning an amphibious assault? by chaoskitty · · Score: 4, Funny

    Uber has got to have a LOT of drivers if 50,000 of them are also licensed DIVERS. What're they going to do - launch an amphibious assault with 50,000 divers?

    Seriously, people have got to start proofreading their posts. Come on - it's not that hard.

  10. cloud coding by Anonymous Coward · · Score: 0

    It's interesting a lot of breaches lately lead back to github. And considering botnets are scanning github daily.

    It sort of says IP on github, aka source code may not be the free lunch that companies thought github/git would provide.

  11. Uber already in the wrong by Anonymous Coward · · Score: 0

    Uber is already in the wrong by waiting five months to notify anyone. Even if they withheld notification for law enforcement purposes, they waited entirely too long.