Uber discloses data breach that may have affected 50,000 drivers

Uber suffered a data breach in 2014 that affected 50,000 Uber drivers across the U.S., the ride-sharing startup disclosed in a statement on Friday.

The company determined on September 17, 2014 that a third party could have accessed one of its databases. After Uber “changed the access protocols for the database” and looked into the situation, it learned through an investigation that someone apparently accessed one of its databases on May 13, 2014, wrote Katherine M Tassi, Uber’s managing counsel, privacy.

Supposedly, the information that may have been compromised included driver names and their driver license numbers, but the startup said that it is not aware of any “reports of actual misuse” of that data. The company said it will be contacting the drivers, issuing them memberships in identity-alert services and filing a lawsuit to obtain more information to learn who was the third party that accessed the database.

While this data breach is small compared to the mega breaches that affected JPMorgan Chase, Sony Pictures Entertainment and Anthem in recent months, it’s notable because it seems to be the first publicly known data breach affecting a ride-sharing service.

The data breach also highlights the importance of setting up proper identity management and access controls for a company’s infrastructure, something on which many security startups are concentrating their efforts. At this time, it’s unclear how an unauthorized party was able to access an internal database. However, it’s obvious that Uber will have to ensure better access-management policies for all points in its infrastructure if it wants to make its system less vulnerable to breaches.

The breach comes at a time when President Obama recently proposed a federal law that calls for companies to notify their customers within 30 days of the discovery of a hack. Uber’s discovery of its announced data breach appears to have fallen well outside the 30-day mark and as far as we know, only appears to have affected its own employees.

Law firms will start sharing security data to prevent attacks

It’s clear that big banks provide a lot of incentive for hackers to launch cyber attacks, given the amount of sensitive data they hold and the cash they oversee. But banks aren’t the only entities hackers are targeting. The law firms that represent financial institutions are also subject to attacks, and as a result a group of law firms is banding together to share security data in order to prevent attacks, according to a New York Times report.

The data held by law firms is a treasure trove for hackers because it includes some of the most secretive aspects of companies, including their business operations, deal making and legal disputes. However, the general public may not be aware of law firm hacks because the firms are private entities and don’t have to abide by the same set of rules as public companies, especially when it comes to disclosing their breaches.

The Times report states that both banks and law firms have been working to create a separate legal group that would be connected to the Financial Services Information Sharing and Analysis Center, which acts as the meeting ground where financial entities can share and analyze security related information. A similar group for law firms could form by the end of 2015.

Supposedly, a half-dozen law firms were hacked over the past couple of months and the security company Mandiant has been working with these organizations on the breach, the Times reports, citing an unidentified source.

There’s not a lot of information out there as to the specifics of the cyber attack, but the Times reports that Mandiant recently said during a conference that “many of the bigger hackings of law firms had ties to the Chinese government, which was seeking information on patent applications, trade secrets, military weapons systems and contract negotiations.”

Sharing security data between organizations appears to be a trend, with President Obama recently signing an executive order calling for businesses and the Federal Government to create some kind of hub where they can exchange information.

Additionally, [company]Facebook[/company] just released its own collaborative threat detection framework, which includes a number of tech companies pledging support, including Pinterest, [company]Yahoo[/company], [company]Twitter[/company] and Dropbox.

What separates the proposed law firm information-sharing group and Facebook’s threat-detection framework from what President Obama is calling companies to establish is the fact that, as far as we know, law enforcement will not be participating in both projects. The White House wants the government to be a part of these data-sharing endeavors, under the premise that it has valuable information, but if organizations want that data, they’ll have to pony up their own.

But privacy concerns in light of the Edward Snowden leaks have caused tech companies to be wary of disclosing information to the government, and in a telling sign, Facebook, [company]Google[/company] and Yahoo chose not to participate in the White House’s Summit on Cybersecurity and Consumer Protection held in Stanford a few weeks ago.

Silicon Valley entrant Dtex Systems lands $15M to stop insider data leaks

It’s not everyday that a 15-year old company grabs a series A funding round. However, in the case of Dtex Systems, which plans to announce Wednesday that it took in a $15 million one, it makes sense. The company — formerly based in Australia and now in San Jose — will be needing that capital and an investment team to grow in the U.S. enterprise security market, explained Dtex Systems CEO Mohan Koo in an interview.

Dtex Systems hawks a security tool that can be installed in a company’s data centers. Most of its clients are on-premise, but Dtex can also be used for the cloud, Koo said. The tool contains a centralized management plane that distributes software-based micro agents throughout the network that record all user activity in its system.

Once the software agents log all that user-activity data, organizations should have a full audit trail on what every employee is doing. Dtex Systems’s data scientists can then crunch that data with their algorithms to detect anomalies that may indicate whether an employee is up to no good.

Dtex human analytics

Dtex human analytics

For example, Dtex Systems’s data science team has apparently learned from the information its gleaning that people who resign from their jobs behave differently during their last days of employment when it comes to how they access their organization’s applications or tools, Koo said. Using the Dtex tool, companies should be able to see this sort of atypical behavior and could prevent employees from stealing confidential data with them when they take off, he said.

“We built a library of 330 different behavioral events which lead to a security breach, and we can use those for customers,” said Koo.

This Silicon Valley newcomer (it opened its San Jose office a month ago) claims that the years it spent working with Asian and European companies to protect their data centers with threat-detection software gives it a leg up to other likeminded security companies, especially when it comes to privacy concerns, said Koo.

To work with companies in Germany and Spain who must comply under European privacy laws, Dtex Systems had to come up with a way to anonymize all that data, and it does so by separating the user-activity data from the names of employees, which get stored in an encrypted table with nondescript names like “user 1” or “user 2.” Companies run the Dtex tool to spot unusual employee behavior in the user-activity data, and if they find something that seems like a breach, “they can request the ID for a forensic investigation” and get to the bottom of the problem, said Koo.

Norwest Venture Partners and Wing Venture Partners drove the investment round with Wing Venture Partners’ founding partner Gaurav Garg joining the startup’s board along with Norwest Venture Partners’ senior managing partner Promod Haque.

Chip firms put security center stage for the internet of things

Big names in the semiconductor world announced more secure hardware Tuesday, while another outlined a framework it wants to offer startups to help bolster security when it comes to building connected devices. Both NXP and Atmel released new security-rich microcontrollers that come equipped with some security features built in that could take some serious spec sheets to compare and contrast.

However, it’s clear from the announcements at the Embedded World Conference in Germany that when it comes to connected devices, the microcontrollers will have more features built into them to support encryption and other features more familiar from higher-end processor cores such as random number generators on the chip and secure booting. In the case of the NXP devices they can be combined with additional hardware to prevent physical tampering for use in connected products such as smart electricity meters or even parking meters.

The emphasis on security at the hardware level is becoming more important as microcontrollers are becoming the brains of connected products, according to Jim Trent, VP & GM of the Microcontroller Business at NXP (pictured above). As more aspects of our medical devices, our cars and even industrial automation become connected to the internet and even to corporate intranets that might be breached, securing those devices becomes essential.

Of course all of this may well be useless if, once you pop that chip into your system, you run insecure hardware on it or hook it into a poorly designed system. This is where Freescale’s efforts come into play. Many of its microcontrollers offer some comparable levels of security already, but John Dixon, director of marketing at Freescale, outlined what it believes is the next step for getting its customers to think about security.

“When a customer comes to you asking if you have a Zigbee chip, we want to also be able to have a conversation about security,” said Dixon. To kickstart that conversation Freescale is teaming up with the Embedded Microprocessor Benchmarking Consortium (EEMBC) to identify critical embedded security gaps and establish guidelines that help connected device designers and manufacturers better secure IoT transactions and products. The founding members of this effort will share their result in the early summer.

John  Dixon, VP of marketing at Freescale.

John Dixon, director of marketing at Freescale.

Dixon explained that the idea here isn’t to create another standard or some long security document that will overwhelm anyone trying to build a product, but to create a framework that will help start a real conversation and start people thinking about how to design secure products. Freescale is also establishing security labs around the world in its Austin, Texas headquarters and in its other locations where customers and partners can collaborate on workshops and research. And finally, it will put its money where its mouth is by allocating 10 percent of its annual R&D budget to IoT security technologies. This year that budget was about $100 million.

As we said on this week’s podcast, security is becoming a huge issue that the people building connected products need to solve if we’re going to start trusting these devices to help drive our cars, manage our traffic and medicate our family members. We tend to talk about security as a monolithic thing that you either have or you don’t have, but as these chip firms show, it’s actually a series of steps that need to be taken and considered over every step of the product and then over every day of the product’s existence.

These products and efforts will help, but until the manufacturers of connected devices realize that security isn’t an item they can tick of a checklist, but rather it’s a mindset that someone must think about daily over the lifetime of the device, we’re still going to have stories about hacked cars, electric meters and everything else. But it’s good to start someplace.

Facebook launches collaborative threat-detection framework

It might be a bit more difficult for hackers to launch coordinated attacks against several different companies at the same time thanks to a new collaborative threat-detection framework by Facebook called ThreatExchange.

The new security framework, which Facebook plans to announce on Wednesday, works like an online hub where multiple organizations can sign up and deposit data pertaining to the types of hacks and malicious activities they may have experienced. This type of data includes malicious URLs, bad domains, malware and any sort of analytical data a company might have that’s related to that malware, explained Mark Hammell, [company]Facebook[/company]’s manager of threat infrastructure and the author of the blog post detailing the framework.

Once all that information is dumped in, Facebook’s graph-database technology can correlate all the data points together and figure out new relationships, such as which malware seems to be talking to a particular domain or if a domain happens to be hosted on a bad IP address, said Hammell. The point is for the framework to ingest all the different security data points between companies so they can keep each other abreast of threats they are experiencing in real-time. If the technology does its job right, users can discover patterns from the data that could help them prevent future attacks.

“We needed to have a platform that lets us share this data in real-time so that when the next attack comes online we are all aware simultaneously,” said Hammell.

The idea behind the new framework came about when Facebook, along with other big tech companies, suffered an attack last year (Hammell said the situation was quickly remedied, which is why there was little mention in the press) from some sort of Windows-related malware “that would try to hijack a variety of social-sharing accounts and use those accounts to propagate.” Essentially, the malware could spread itself across the various services of each company because of the way each service happens to be connected to one another.

For example, Hammell said that the attack might have started out from a private Facebook message that sent a corrupted link to a Tumblr blog that happened to be created with a [company]Yahoo[/company] account.

Although the malware was eventually stopped, Facebook decided to build upon its existing
ThreatData framework and open it up to other companies to use through APIs. It’s similar to how developers can connect to Facebook through APIs and create applications on its platform, explained Hammell.

[company]Pinterest[/company], Tumblr, [company]Twitter[/company], and Yahoo all gave Facebook feedback on the new framework and Bitly and Dropbox have now signed on to contribute as well.

As an example of how someone might use ThreatExchange, Hammell said participants will be able to search for any “malicious domains that have been added in the past day to the system.” If they want to add to ThreatExchange a malicious domain that they might have discovered, they can put it into the system and the underlying graph database technology can spew out a list of urls that it might associate with the bad domain, which could be be an indication that the malware is trying to spread across numerous sites.

Now that users can see who else might be affected, they can then ping the appropriate parties within the framework, said Hammell.

“Where we see the most success is when folks start taking the attacks they are seeing and share those with the folks they think might be affected,” Hammell said.

ThreatExchange is now available in beta and interested participants will have to fill out a form on Facebook’s site if they want to partake.

UK seeks to shutter Russian site streaming video from webcams

If you feel like someone’s watching you, you might be right. A mega peeping Tom site out of Russia is collecting video and images from poorly secured webcams, closed-circuit TV cameras, even baby monitors worldwide and is streaming the results.