In late November it was revealed that Uber reportedly paid cyber attackers $100,000 to delete breached data obtained and concealed for over a year. In the wake of the news, Uber's chief security officer Joe Sullivan had to resign from the company.
Uber’s breach highlights the fact that passwords and simple two-factor authentication are no longer enough to stop attackers. 81 percent of data breaches come from attackers using stolen credentials and Uber is now responsible for losing another 57 million usernames and passwords. In Uber’s case the weak link was the authentication process around GitHub and AWS.
This breach will have knock on effects in the cyber-security industry as stolen credentials often lie dormant on the dark web or in the possession of cybercriminals only to resurface in the future. Uber users should reset their account passwords for the app and all other accounts where it may have been re-used.
Organizations (especially global businesses like Uber!) need to implement smart, adaptive methods of authentication with contextual risk analysis built in throughout, negating the damage of stolen or lost credentials.
Here’s a recap of how the Uber attack took place: attackers gained access to a private GitHub coding site used by Uber software engineers. They then used login credentials obtained there to access data stored on an Amazon Web Services (AWS) account that handled computing tasks for the company. From this point, the hackers were able to uncover a valuable archive of rider and driver information. Armed with this data, they contacted Uber to demand money.
Learning from Uber’s mistakes, there’s three key steps businesses can take to ensure they don’t fall victim to a similar attack:
1. Protect GitHub repositories with strong, multi-factor authentication (MFA): additional authentication steps can be triggered by characteristics including suspicious originating network behaviour (such as using anonymous proxy or any high-risk IP) or unfamiliar location and device usage phone.
2. Invoke code review processes and make sure all credentials are scrubbed from GitHub repositories: This is best practice that should be adopted by all development teams.
3. Protect systems running in AWS with Adaptive Authentication: adaptive access controls provide additional security beyond just passwords or even MFA. Looking at contextual risk factors around every user means businesses can deny high-risk or unusual access attempts.
Breaches like Uber’s can also be prevented by fundamentally changing the way businesses approach identity and security. Taking a proactive approach to protecting identities and credentials should be the number one focus of any IT security team. This not only prevents the misuse of user credentials but more importantly will reduce risk of cyber-attacks.
Organizations often try to sweep breaches under the rug. This may be due to fear of brand damage, reputation, a hesitation to reveal company details, fear of further questioning on practices and policies or simply the costly clean up required after a breach. All of these are valid concerns. However, by effectively and promptly disclosing breaches, businesses can get in front of the story (and backlash), helping the wider industry to learn from the breach and act accordingly to minimise the chance of it happening again.
There’s plenty of data available to develop mitigation strategies, specifically tailored for vertical sectors or business sizes. This data can help protect an organization, or even best practices within an entire industry. Data can help reveal where the threats are and the scope and size of the problem.
The less-than-1% scenario, .003% to be exact, is the deadliest for enterprises. These are the access attempts from suspicious or known bad IPs. In these cases it is almost certain that an attack is underway. Legitimate users do not, with few exceptions, come in from bad IPs or anonymous proxies. This is classic attack behaviour and we stop it by requiring additional factors.
To further explore these risks, SecureAuth released its inaugural State of Authentication report this year. Over the course of twelve months, our team gathered data from approximately 500 customers using Adaptive Authentication. We then analysed 617.3 million user authentication attempts to identify success rates, how often multi-factor authentication was required, and the reasons behind failed authentication attempts. Nearly 90 percent of the time authentication took place without a hitch.
However, the remaining 69.1 million authentication attempts were either denied outright or stepped up for additional authentication, such as a one-time-passcode (OTP) or push/symbol-to-accept. The top five reasons for denying access were as follows:
- Incorrect Passwords: 60.3 million times.
- Suspicious IP address: 2.45 million access attempts stepped up to multi-factor authentication because a log-in request was coming from an unusual IP address.
- An unrecognised device used: 830,000 times.
- Suspicious one-time passcode used: 524,000 times, including when 'deny' was hit on the push-to-accept request.
- Self-service password reset: 200,000 password change requests were denied.
Of the 2.45 million authentication attempts coming from suspicious IP addresses, further analysis found that over 77,000 were denied outright because the IP address was deemed to be malicious, which is very concerning. Malicious IP addresses include those known to be associated with anomalous internet infrastructure, advanced persistent threat (APT) activity, hacktivism, or cybercriminal activity.
Examining many of the high-profile breaches in recent years, and most recently Uber, it only takes a single successful misuse of credentials to expose highly sensitive and confidential company and customer data. These events can incur severe costs to the business and damage that may take brands years to recover from. As businesses plan for 2018 they should ensure all their systems are secured with multi-factor or adaptive authentication technology. This essential step provides a dynamic defence against opportunistic cyber-criminals and is vital for protecting valuable business data.
James Romer, EMEA Chief Security Architect at SecureAuth
Image Credit: Rawpixel.com / Shutterstock