Uber, Social Engineering & Security Weak Links | Expert Blog

Tech Community • 4 min read

I have talked a few times in these blogs about the importance of security and cloud teams keeping staff informed and using appropriate care when dealing with credentials and MFA (multi-factor authentication) management.

With hackers using increasingly sophisticated tactics like social engineering, cloud security teams need to ensure the tools they adopt - and as importantly those using the tools they adopt - are up to scratch.

Here’s the important point: It doesn’t matter how many millions you pour into your security tech if the people using it aren’t using it to the required level.

Which brings us nicely to Uber. Uber is an unfortunate example of a large-scale organisation that was hacked, with access to its intranet achieved via social engineering.

How did Uber get hacked?

The hacker gained the MFA token by sending push notifications to the victim, disguising themselves and responding as a member of the Uber IT team. The hacker was then able to add their own device to the Uber network, entering internal systems.

[Caption] Alleged hacker shows they gained access through MFA to the Uber intranet 

This is a slightly simplified version of events, but once inside, the hacker essentially scanned for file shares and eventually found a script with a hardcoded username and password for the admin account. Which is basically gold dust for hackers.

So with just two vulnerabilities - an individual to social engineering and combined with some bad practice with internal file sharing - the hacker was able to gain admin access to an internal network of a major global organisation.

What can organisations do to prevent this?

And although this was very high-profile, this isn’t a unique story. We have seen a lot of this kind of hacking and ransomware cases where bad guys have infiltrated companies through social engineering.

The regular approach to keep these hackers at bay clearly isn’t working - we have already been working with companies for some time, encouraging a more proactive approach. More needs to be done in terms of governance, as well as the tools teams are adopting.

On a strategic level, we need to communicate better to key decision makers that when organisations start to think about security aspects, they need to be thought of as a whole package. Doing just singular, isolated things just won't keep your people or networks secure - they just give you a false sense of security.

This is probably one of the biggest problems (or misconceptions) currently in companies - you buy that expensive solution from a vendor and think that now you can finally relax knowing that you’re protected.

Unfortunately, it’s just not enough. This complacent approach can really hurt organisations who remain open to vulnerabilities, as well as the vendors who are delivering security solutions. Yes, vendors do often still get the blame if something goes wrong, despite the fact it’s very rarely their fault.

How do you get the investment needed?

So, a holistic view is needed across your environment to systemically secure everything. And this doesn’t just mean the technical parts, but also people.

And yes, this is often the hardest part, getting people “secured” is a painstaking process that can seemingly never end. It’s really an issue of culture - security teams need to train staff and keep them informed on the new possible methods that hackers are using. And even then, there might be individuals that are either not up to speed or let their guard down, leaving themselves and their organisation open to hacking.

Now, I also know many businesses see this is a burden rather than an investment in terms of costs. But it is really a proactive investment in the business, and is usually significantly cheaper than a costly cleanup operation might be. 

For example, the infamous Maersk NotPetya malware case was estimated to have cost the unfortunate party $300M. Malware infiltrated every system in the intranet and halted operations. The one saving grace was that an AD server in Ghana was offline during the attack and data was able to be restored from there. Without this, the cost could have been even higher. Pharma company Merck reported costs of $870M following a similar malware incident.

Yes, these are extreme examples, but there are many, many smaller scale incidents. So, when considering if something related to security is too expensive, it’s worth balancing the potential risk to the business. Preparing and planning a whole security posture should be one of the top priorities for businesses today.

It’s something that needs to go through the entire organisation and have support from every level. Coming from technical people (those that are most aware of the risks) won't get the buy-in needed, but likewise being pushed by senior leadership will likely leave some areas untouched.

So, how do you get proper support for this? You’ll need an amount of perseverance for this, as the message likely won't go through easily at the first attempt. There will be resistance and people will question if this is necessary, if it’s worth the investment in terms of time, resource, or cost. But once the need and the investment is fully understood, stakeholders from across the business will understand why it needs to be made.

For sure, today’s security landscape is constantly changing while hackers are becoming increasingly more sophisticated. But often human nature means we remain complacent, trusting, or with an ‘it-won't-happen-to-me attitude. So, until there is a silver bullet solution to security, we all need to focus on staying on top of our vulnerabilities.

Toni Kuokkanen, Nordcloud’s Solution Strategist
Toni KuokkanenSolution Strategist
CloudCloud

Get in Touch.

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.

Ilja Summala
Ilja Summala LinkedIn
CTO
Ilja’s passion and tech knowledge help customers transform how they manage infrastructure and develop apps in cloud.