Uber confirms "cybersecurity incident" and covering up 50m customer's and 7m driver's data breach in 2016

Uber confirms "cybersecurity incident" after 18-year-old claimed to be behind massive breach

It's unclear whether he accessed customer data

What just happened? Uber is investigating a cybersecurity incident that has compromised many of its internal systems, giving the hacker, who says he is just 18 years old, almost complete access to the company's network. The breach is thought to be as bad as or worse than the 2016 incident that exposed the details of 57 million customers.

The New York Times reports that the hacker used a common social engineering technique to access Uber's systems. He sent a text message to one of the ride-hailing giant's employees claiming to be a corporate IT person. The worker was persuaded to hand over their password, granting the perpetrator access to Uber's network.

The hacker provided screenshots of Uber's internal systems to the NYT as proof of his successful attack. He told the publication that he is 18 years old and had been working on his cybersecurity skills for several years, adding that Uber's weak security prompted him to compromise its network.

Once he had access, the hacker sent a Slack message to employees that read: "I announce I am a hacker and Uber has suffered a data breach." It listed several compromised databases and appeared to call for Uber drivers to receive higher pay. Uber took its internal Slack and engineering systems offline earlier today as it investigated the breach.

Sam Curry, a security engineer at Yuga Labs who corresponded with the hacker, said the person has full admin access to Uber's Amazon Web Services and Google Cloud services. "It seems like maybe they're this kid who got into Uber and doesn't know what to do with it, and is having the time of his life," Curry said.

In an official statement, Uber wrote: "We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available."

Besides his age, little is known about the hacker, though it's speculated that he is British; an employee said he used the word "wankers," and he may go by the username 'teapots2022.' He also accessed Uber's HackerOne vulnerability bug bounty account and left comments on several report tickets.

The breach is being compared to the 2016 incident in which the names, email addresses, and phone numbers of 50 million Uber customers, along with the personal details of 7 million drivers, were stolen. Uber paid the hackers responsible $100,000 to delete the data and stop the incident from becoming public knowledge, and it concealed the breach for over a year. The company had to pay a $148 million settlement for the hack and its failure to disclose what happened.

Source:techspot.com

FTC Sues Location Data Broker - Kochava

Phone app location data brokers are a growing menace to our privacy and safety. All you did was click a box while downloading an app. Now the app tracks your every move and sends it to a broker, which then sells your location data to the highest bidder.

So three cheers for the Federal Trade Commission for seeking to end this harmful marketplace! The FTC recently sued Kochava, a location data broker, alleging the company violated a federal ban on unfair business practices. The FTC’s complaint against Kochava illustrates the dangers created by this industry.

Kochava harvests and monetizes a staggering volume of location data. The company claims that on a monthly basis, it provides its customers access to 94 billion data points arising from 125 million active users. The FTC analyzed just one day of Kochava’s data, and found 300 million data points arising from 60 million devices.

Kochava’s data can easily be linked to identifiable people. According to the FTC:

The location data provided by Kochava is not anonymized. It is possible to use the geolocation data, combined with the mobile device’s MAID [that is, its “Mobile Advertising ID”], to identify the mobile device’s user or owner. For example, some data brokers advertise services to match MAIDs with ‘offline’ information, such as consumers’ names and physical addresses.

Even without such services, however, location data can be used to identify people. The location data sold by Kochava typically includes multiple timestamped signals for each MAID. By plotting each of these signals on a map, much can be inferred about the mobile device owners. For example, the location of a mobile device at night likely corresponds to the consumer’s home address. Public or other records may identify the name of the owner or resident of a particular address.

Kochava’s location data can harm people, according to the FTC:

[T]he data may be used to identify consumers who have visited an abortion clinic and, as a result, may have had or contemplated having an abortion. In fact, … it is possible to identify a mobile device that visited a women’s reproductive health clinic and trace that mobile device to a single-family residence.

Likewise, the FTC explains that the same data can be used to identify people who visit houses of worship, domestic violence shelters, homeless shelters, and addiction recovery centers. Such invasions of location privacy expose people, in the words of the FTC, to “stigma, discrimination, physical violence, emotional distress, and other harms.”

The FTC Act bans “unfair or deceptive acts or practices in or affecting commerce.” Under the Act, a practice is “unfair” if: (1) the practice “is likely to cause substantial injury to consumers”; (2) the practice “is not reasonably avoidable by consumers themselves”; and (3) the injury is “not outweighed by countervailing benefits to consumers or to competition.”

The FTC lays out a powerful case that Kochava’s brokering of location data is unfair and thus unlawful. We hope the court will rule in the FTC’s favor. Other location data brokers should take a hard look at their own business model or risk similar judicial consequences.

The FTC has recently taken many other welcome actions to protect people’s digital rights. Last month, the agency announced it is exploring new rulemaking against commercial surveillance. Earlier this year, the FTC fined Twitter for using account security data for targeted ads, brought lawsuits to protect people’s right-to-repair, and issued a policy statement against edtech surveillance.

Microsoft advertising infestation on smart phone apps

n a bit of bad news for some who use Outlook, Microsoft confirmed this week that it has started showing more ads in the Android and iOS app to non-paying customers. People without Microsoft 365 subscriptions can avoid ads to some extent by using Focused Inbox for important emails only, but ads will still be shown in the "Other" section of the app.

In related news, Microsoft has also started testing ads in the Microsoft Store. Developers can now register to start participating in this initiative by filling in a form. The way that ads will be surfaced is quite similar to other digital storefronts. For example, if you search for an app, you may see ads for other apps on the side with the "Ad" badge displayed.

When it comes to other Microsoft apps and services, Whiteboard is set to receive a slew of new features soon. This includes embedded online video support, timer, attribution, commenting, and more. Similarly, Teams has netted a bunch of new features for educators and students too. This includes a new experience called "Reflect" and a revamped home page. Finally, frontline workers utilizing Microsoft's Kaizala should know that the messaging service is being retired after one year in favor of Teams.

Source:neowin

Note: If you are concerned about security and privacy Microsoft Office/Windows products are not recommended.

Customs officials have copied Americans’ phone data at massive scale

Contacts, call logs, messages and photos from up to 10,000 travelers’ phones are saved to a government database every year

Courts have given border authorities the power to search people’s devices without a warrant or suspicion of a crime. Above, JFK Airport in New York.

U.S. government officials are adding data from as many as 10,000 electronic devices each year to a massive database they’ve compiled from cellphones, iPads and computers seized from travelers at the country’s airports, seaports and border crossings, leaders of Customs and Border Protection told congressional staff in a briefing this summer.

The rapid expansion of the database and the ability of 2,700 CBP officers to access it without a warrant — two details not previously known about the database — have raised alarms in Congress about what use the government has made of the information, much of which is captured from people not suspected of any crime. CBP officials told congressional staff the data is maintained for 15 years.

Details of the database were revealed Thursday in a letter to CBP Commissioner Chris Magnus from Sen. Ron Wyden (D-Ore.), who criticized the agency for “allowing indiscriminate rifling through Americans’ private records” and called for stronger privacy protections.

The revelations add new detail to what’s known about the expanding ways that federal investigators use technology that many Americans may not understand or consent to.

Agents from the FBI and Immigration and Customs Enforcement, another Department of Homeland Security agency, have run facial recognition searches on millions of Americans’ driver’s license photos. They have tapped private databases of people’s financial and utility records to learn where they live. And they have gleaned location data from license-plate reader databases that can be used to track where people drive.

CBP’s inspection of people’s phones, laptops, tablets and other electronic devices as they enter the country has long been a controversial practice that the agency has defended as a low-impact way to pursue possible security threats and determine an individual’s “intentions upon entry” into the U.S. But the revelation that thousands of agents have access to a searchable database without public oversight is a new development in what privacy advocates and some lawmakers warn could be an infringement of Americans’ Fourth Amendment rights against unreasonable searches and seizures.

CBP spokesman Lawrence “Rusty” Payne said in a statement Thursday that the agency conducts “border searches of electronic devices in accordance with statutory and regulatory authorities” and has imposed rules to ensure the searches are “exercised judiciously, responsibly, and consistent with the public trust.”

The database, known as the Automated Targeting System, is used “to further review, analyze, and assess information CBP obtained from electronic devices associated with individuals who are of a significant law enforcement, counterterrorism” or national security concern, he said.

CBP officials declined, however, to answer questions about how many Americans’ phone records are in the database, how many searches have been run or how long the practice has gone on, saying it has made no additional statistics available “due to law enforcement sensitivities and national security implications.”

A 2018 CBP directive establishing rules for the searches said officers should only retain information relating to immigration, customs or “other enforcement matters” unless they have probable cause that could justify saving more of the phones’ contents.

In the briefing this summer, however, CBP officials said their default configuration for some of the searches had been to download and retain all contact lists, call logs and messages, a Wyden aide said.

CBP officials retain people’s phone data in a very small fraction of searches and only when “absolutely necessary,” Aaron Bowker, CBP’s director of office of field operations, said in an interview Thursday.

CBP conducted roughly 37,000 searches of travelers’ devices in the 12 months ending in October 2021, according to agency data, and more than 179 million people traveled that year through U.S. ports of entry. The agency has not given a precise number of how many of those devices had their contents uploaded to the database for long-term review.

A Wyden aide said their office was told 2,700 DHS officials had access to the data. Bowker said that number is incorrect and that 5 percent of CBP’s 60,000-employee operational workforce, or 3,000 officials, is given access.

Bowker said those authorized officials are trained, audited and supervised, and that the level of data access is appropriate given the size of the task. Bowker said no other government agency has direct access to this data but that officials can request information on a case-by-case basis.

“You have to have enough operational personnel who are able to do this properly around the clock,” Bowker said. “We have 328 ports of entry. We are a 24/7 operation. You don’t know who’s going to show up where and when.”

Law enforcement agencies must show probable cause and persuade a judge to approve a search warrant before searching Americans’ phones. But courts have long granted an exception to border authorities, allowing them to search people’s devices without a warrant or suspicion of a crime.

CBP officials have relied on that exception to support their collection of data from travelers’ phones. Sens. Wyden and Rand Paul (R-Ky.) introduced a bill last year that would require border officials to get a warrant before searching a traveler’s device.

The CBP directive gives officers the authority to look and scroll through any traveler’s device using what’s known as a “basic search,” and any traveler who refuses to unlock their phone for this process can have it confiscated for up to five days.

In a 2018 filing, a CBP official said an officer could access any device, including in cases where they have no suspicion the traveler has done anything wrong, and look at anything that “would ordinarily be visible by scrolling through the phone manually,” including contact lists, calendar entries, messages, photos and videos.

If officers have a “reasonable suspicion” that the traveler is breaking the law or poses a “national security concern,” they can run an “advanced search,” connecting the phone to a device that copies its contents. That data is then stored in the Automated Targeting System database, which CBP officials can search at any time.

Faiza Patel, the senior director of the Liberty and National Security Program at the Brennan Center for Justice, a New York think tank, said the threshold for such searches is so low that the authorities could end up grabbing data from “a lot of people in addition to potential ‘bad guys,’” with some “targeted because they look a certain way or have a certain religion.”

DHS investigators have increasingly used analytical and machine-learning tools to map out relationships and behaviors from vast reserves of phone data, meaning that even people whose phones have not been accessed could get swept up in a database search.

“It’s not just what you say or do that’s of interest to DHS, it’s what everybody you know says and does,” Patel said. “You may become suspicious just because someone you’re only tangentially related to says something on your timeline or is on your call log. … And when you have 2,700 people having access, you have very little control over the uses to which they put this information.”

The CBP directive on device searches was issued several years after a federal appeals court ruled that a forensic copying of a suspect’s hard drive had been “essentially a computer strip search” and said officials’ concerns about crime did “not justify unfettered crime-fighting searches or an unregulated assault on citizens’ private information.”

The Wyden aide also said that the CBP database does not require officers to record the purpose of their search, a common technical safeguard against data-access misuse. CBP officials said all searches are tracked for later audit.

DHS’ Office of Inspector General said in a 2018 report that officers had not always fully documented their device searches, making it hard to verify whether they had been properly run. CBP officials said then that they would conduct closer monitoring.

But in a follow-up report last year, the inspector general’s office said the agency was continuing to “experience challenges” in sufficiently managing searches of people’s phones. CBP said it was working to address the issues.

The “advanced search” program, which began in 2007 as a project known as Document and Media Exploitation, has expanded to cover more than 130 ports of entry, the inspector general’s office said in its report last year.

CBP has over the years referred information from people’s devices to Immigration and Customs Enforcement, local police agencies and the FBI for further investigation, the report said.

CBP officials give travelers a printed document saying that the searches are “mandatory,” but the document does not mention that data can be retained for 15 years and that thousands of officials will have access to it.

Officers are also not required to give the document to travelers before the search, meaning that some travelers may not fully understand their rights to refuse the search until after they’ve handed over their phones, the Wyden aide said.

CBP officials did not say which technology they used to capture data from phones and laptops, but federal documents show the agency has previously used forensic tools, made by companies such as Cellebrite and Grayshift, to access devices and extract their contents.

A CBP officer who runs a search of the system will only see phone data that was extracted from checkpoints in their part of the country, agency leaders told Wyden’s office. But officers will be told that a hit was found in the data from another region, and they are allowed to ask for permission to review that data. CBP did not say how many of those kinds of requests have been made, fulfilled or denied.

The CBP revelations have echoes of a National Security Agency program, first revealed in 2013 by Edward Snowden, that once captured millions of Americans’ phone records as part of a surveillance initiative targeting suspected terrorists. Because officials could follow, or “hop,” from one phone’s records to the next, the system was found to have exposed the records of millions of people not suspected of any crime.

The NSA ended the program in 2019, saying some of the data had been collected in error and that the system had not been all that useful in tracking terrorists or fighting crime.

Source: The Washington Post

Return YouTube Dislike – The Little Mermaid, ‘woke’ agenda BS

Censorship is high on the agenda of the authorities, which the technocrats are part of / subservient to. 

As Google supplies data to government and non-government organisations, it’s only befitting that it sensors its platforms, i.e. the 'search' facility and YouTube.

The inability for the general population to see the integer value of dislikes for content creator’s videos is plain and simple censorship.

The content viewer is not given an objective detail as to what the general population agrees or disagrees with regards to a particular topic or even political opinion.

In the example of a Disney film called The Little Mermaid, which focuses on some sort of ‘woke’ agenda, the viewer would see only a 725k ‘thumbs up’ at the time of this post having zero idea of how many people dislike Disney's topic at hand.

In this case, the content viewer does not see is the number of dislikes associated with Disney’s opinion of ‘woke’ which is 1.9M, or 2.6 dislikes to one like ratio.

We recommend people see the whole story about other’s opinions with regards to topics on YouTube, therefore the Firefox extension called “Return YouTube Dislikes” by Dmitry Selivanov is the choice at the moment.

These actions are all part of the (global) Nanny State agenda.

Victoria Police caught issuing fake permits

IMAGINE IF THE VICTORIAN REGISTRY JUST DID WHAT IT WANTED TO DO?

LEADING PRO-SHOOTERS RIGHTS MP and NSC member Tim Quilty MLC, has revealed in Parliament that VicPol’s registry (LRD) have been caught breaking the same laws it administers.

This follows revelations of “missing guns” and allegations of continual misconduct of senior LRD officers.  Now they’re issuing ‘pretend permits’ for their friends.

This the third time Senior Sergeant Armstrong has been named in Parliament.

Tim then went on to detail a long list of misconduct and improper behaviour by LRD, all backed by an overwhelming mountain of evidence.

(To hear what Tim said click here to watch the Parliamentary video footage below.)

source:constitutionwatch.com.au

ISPs are quitely distributing data that can trace traffic through VPNs

ISPs are quietly distributing "netflow" data that can, among other things, trace traffic through VPNs.

There's something of an open secret in the cybersecurity world: internet service providers quietly give away detailed information about which computer is communicating with another to private businesses, which then sells access to that data to a range of third parties, according to multiple sources in the threat intelligence industry.

The information, known as netflow data, is a useful tool for digital investigators. They can use it to identify servers being used by hackers, or to follow data as it is stolen. But the sale of this information still makes some people nervous because they are concerned about whose hands it may fall into.

"I'm concerned that netflow data being offered for commercial purposes is a path to a dark fucking place," one source familiar with the data told Motherboard. Motherboard granted multiple sources anonymity to speak more candidly about industry issues.

At a high level, netflow data creates a picture of traffic flow and volume across a network. It can show which server communicated with another, information that may ordinarily only be available to the server owner or the ISP carrying the traffic. Crucially, this data can be used for, among other things, tracking traffic through virtual private networks, which are used to mask where someone is connecting to a server from, and by extension, their approximate physical location.

Team Cymru, one threat intelligence firm, works with ISPs to access that netflow data, three sources said. Keith Chu, communications director for the office of Senator Ron Wyden which has been conducting its own investigations into the sale of sensitive data, added that Team Cymru told the office "it obtains netflow data from third parties in exchange for threat intelligence."

Do you work at a company that handles netflow data? Do you work at an ISP distributing that data? Or do you know anything else about the trade of netflow data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email joseph.cox@vice.com.

Companies that may source Team Cymru's data include cybersecurity firms hired to respond to data breaches or proactively hunt out hackers. On its website, Team Cymru says it works with both public and private sector teams to "to help identify, track and stop bad actors both in cyber space and on the ground."

"I'm less worried about a bad guy hacker and more worried about a bad guy government or company or politician," one source familiar with the data said. A source in the threat intelligence industry added that they "always thought it was kinda bonkers," referring to Team Cymru's sale of netflow data.

The continued sale of sensitive data could present its own privacy and security concerns, and the news highlights that ISPs are providing this data at scale to third parties likely without the informed consent of their own users. Other companies, such as cybersecurity firm Palo Alto Networks, also have access to netflow data.

"The users almost certainly don't [know]" their data is being provided to Team Cymru, who then sells access to it, the source familiar with the data said.

Team Cymru's customers can probe a dataset, and "effectively run queries against virtually any IP to pull the netflows to and from that IP over a given point in time," one of the sources said. Chu added Team Cymru said it "restricts the amount of data that is returned, so that only a small portion of the netflow data in its database can be accessed by any one client."

In product descriptions, Team Cymru offers users the ability to follow traffic through VPNs, which attackers may use to cover their tracks or ordinary people to browse the internet more privately.

"Trace malicious activity through a dozen or more proxies and VPNs to identify the origin of a cyber threat," one brochure for a Team Cymru product called Pure Signal Recon reads. In essence, access to netflow data lets a security team observe what is happening on the wider internet, and may indicate what is happening to other organizations, beyond the borders of their own network or company. One of the sources said they previously saw traffic from an organization they knew inside Team Cymru's dataset and was spooked by it at the time.

"Visibility and insight are global," the description adds. An image included in the brochure shows Team Cymru's product letting users trace the activity of servers linked to an Iranian hacking group further than other datasets, such as DNS lookups.

A section of Team Cymru's marketing material for its Pure Signal Recon product. Image: Team Cymru.

In a recent research report on an Israeli spyware vendor called Candiru, Citizen Lab thanked Team Cymru.

"Thanks to Team Cymru for providing access to their Pure Signal Recon product. Their tool’s ability to show Internet traffic telemetry from the past three months provided the breakthrough we needed to identify the initial victim from Candiru’s infrastructure," the report reads. Citizen Lab did not respond to multiple requests for comment.

Team Cymru did not respond to multiple requests for comment on which ISPs provide it with the data, what privacy protections are in place around the collection and distribution of such data, and whether the individual ISP users have provided consent for their data to be shared.

"Fundamentally, people have a right to some degree of anonymity, and as a carrier it's not our job to eavesdrop in any form."

For its Cortex Xpanse product, Palo Alto Networks also gains access to netflow data, according to product documentation available online.

"Cortex® Xpanse™ obtains flow data via multiple relationships with Tier 1 ISPs. Through these relationships, Cortex Xpanse has access to a sample of approximately 80% of global flows," one page reads.

Jim Finkle, director of threat communications at Palo Alto Networks, said in an emailed statement that "Palo Alto Networks provides enterprise customers with netflow data to and from their own networks to identify violations of security policies, gaps in security monitoring and other high-risk activity on the customer’s network." Palo Alto Networks declined to name which ISPs it sources data from, or whether it purchases the data outright from the ISPs.

Dave Schaeffer, CEO of ISP Cogent Communications, which he said handles around 22 percent of the world's internet traffic, told Motherboard that as an ISP his company doesn't provide their netflow data to anybody.

"Fundamentally, people have a right to some degree of anonymity, and as a carrier it's not our job to eavesdrop in any form," he said in a phone call. Schaeffer says Cogent generates 96 percent of its traffic from selling to large wholesale customers, such as Vodafone, Cox, Spectrum, and BT. Schaeffer says Cogent provides services to Team Cymru but does not share netflow data with the company.

"I don't know if there's a lot of really useful things people could do with [netflow] data," he added. "There's probably some bad things I could think of if that data was available."

Although multiple sources were concerned about the sale of netflow data, several of them stressed that Team Cymru is a responsible organization.

"It's pretty shadowy but honestly they're a 'good actor,'" one in the threat intelligence industry said. "Very strict protections on who can see it, but still, yeah, it's shady."

The source familiar with the data said they were concerned about the sale of netflow data, but that Team Cymru "also enable security organizations to do some really awesome work. So I'm conflicted about it."

"I'm concerned that netflow data being offered for commercial purposes is a path to a dark fucking place."

In May, Motherboard reported that Senator Wyden's office asked the Department of Defense (DoD), which includes various military and intelligence agencies such as the National Security Agency (NSA) and the Defense Intelligence Agency (DIA), for detailed information on its data purchasing practices. The response showed that the Pentagon is carrying out warrantless surveillance of Americans, according to a subsequent letter written by Wyden and obtained by Motherboard.

Some of the answers the DoD provided were provided in a form meaning that Wyden's office could not legally publish specifics on the surveillance. Wyden's office then asked the DoD to release the information to the public. At the time, Wyden's office declined to provide Motherboard with specifics on one of the answers which was classified, but a Wyden aide said that the question related to the DoD buying internet metadata.

"Are any DoD components buying and using without a court order internet metadata, including 'netflow' and Domain Name System (DNS) records," the question read.

Other cybersecurity firms sell access to controversial datasets. In September, Motherboard reported how one firm called HYAS was sourcing smartphone location data to trace people to their "doorstep." As Motherboard has repeatedly shown, the ordinary apps installed on peoples' phones that gather this information often don't have informed consent to then sell or otherwise provide it to third parties.

Source:vice.com

Corporate fraud by NVIDIA, it plans to manipulate the market. No court action in the US?

Corporate fraud is rampant across ALL industries, it's that all you have to do is catch them out.

At the end of the business day, no one cares until someone takes it to court.

Will NVIDIA (NASDAQ: NVDA) see the inside of a court room?

See more at: