As an individual working for an identity-based security company, it’s getting a little tiring to hear about yet another preventable breach. At what point will we, as an industry, accept responsibility for protecting user credentials? We see breaches regularly reported and the credential is the common thread. It’s frustrating to know that intelligent authentication solutions could have prevented most of the breaches we read about in the news.
Let’s take a look at the big headliner this week: Uber reportedly paid attackers $100,000 to delete breached data obtained and concealed for over a year, impacting over 50 million customers. How did it happen? According to Bloomberg, here’s how the attack went down:
“Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company."
Let's break this down to understand how personal information was ultimately accessed:
1. Access to private GitHub: How did this even happen? The GitHub repository probably stores all the code for the site and the apps. How this was not considered sensitive and in need of strong authentication is shocking. But first and foremost, credentials were needed for access. As more information comes to light, we will likely learn the attackers took one of two routes: 1) Web-based login and scanning the repository or 2) using git tools to pull or checkout repos. Either way, something more than a password is needed to secure.
2. Credentials were stored in files in the repo: Hey, we all make mistakes when coding and commit some thoughtless things. I wouldn't even put this in the credential harvesting category. Most teenagers today can navigate pages and code to find credentials. This just should have never happened. Everyone can learn from this mistake: never store credentials in a code repository.
3. Credentials from GitHub granted access to live systems in AWS: This one hurts...I have a feeling many DevOps-focused individuals face-palmed when they read this. Attackers often pivot from one system to another to avoid detection, so putting strong authentication in front of all sensitive systems is critical. Strong authentication in front of GitHub and AWS could have kept Uber out this public relations nightmare.
Considering the three items above, it’s clear adding adaptive access controls would have helped prevent access that eventually led to Uber customer information being breached. Learning from Uber’s mistakes, here are a few steps you can take to ensure you don’t fall victim to a similar fate:
- Protect GitHub repository with strong authentication: SecureAuth, leveraging federation, would have forced a multi-factor authentication (MFA) step if risk was detected. That risk could be triggered by characteristics including originating network (ie. anonymous proxy or any high-risk IP) or unfamiliar location, phone, behavior.
- Invoke code review processes and scrub all credentials from GitHub repos: This isn’t a SecureAuth-specific capability, but a best practice that should be adopted by all development teams.
- Protect the running systems in AWS with Adaptive Authentication: Adding adaptive access controls provides additional security beyond just passwords and even MFA. Looking at contextual and risk factors related to every user means SecureAuth can deny high-risk access attempts, require MFA step for medium risk attempts, and allow low-risk attempt in with only a password and/or username.
Uber is taking heat on a number of fronts, including high-profile resignations, regulatory investigations, and likely brand and market share damage. The key takeaway is that breaches like these can be prevented by changing the way businesses look at identity and security. A proactive approach to protecting identities and credentials should be the number one focus of any IT security team. Prevent the misuse of credentials and you will reduce risk for your business.