Ride-hailing giant Uber Technologies Inc. announced on Tuesday that hackers stole the account information of 57 million people; one Israeli cybersecurity firm may have been able to prevent the data breach.
In October 2016, hackers penetrated Uber by using computer code found on GitHub – a depository where engineers collaborate on code. They then stole Uber’s login credentials for cloud-service provider Amazon and downloaded the archive of data. Cloud services store data in an Internet server as opposed to an internal computer network.
The attackers emailed Uber asking for ransom, and the San Francisco-company complied by paying them $100,000 to delete the personal data. The stolen information included customers’ names, emails and phone numbers, along with the names and license numbers of American drivers.
Udi Mokady, CEO of the Israeli firm CyberArk Software Ltd., blasted the security vulnerabilities, especially for companies using DevOps or when developers writing code work simultaneously with those operating and configuring the code.
An estimated “80% of security breaches involve privileged credentials,” Mokady said, adding that a recent CyberArk survey found that “75% of organizations report no strategy to manage secure DevOps secrets, with 99% of respondents failing to identify all places with privileged accounts.”
With more and more companies adopting DevOps – which prioritizes multi-team collaboration – many more people have privileged account credentials, which leads to greater security challenges. At the same time, more companies are being hosted on cloud development infrastructure rather than their own internal network.
“In the past, if you made this [coding] mistake, nothing happened,” said Kobi Ben-Naim, CyberArk’s senior director of cyber-research, since problems could be contained on an internal network. “But now, if a developer makes a mistake, like the one we saw with Uber, it’s a catastrophic mistake, because the code is public… hackers steal those [account authentication] keys and use them instantly.”
No cybersecurity tool is foolproof, but CyberArk and its Conjur service helps protect machine identities by creating a digital safe. In other words, CyberArk’s clients are not using account authentication keys, but rather the equivalent of a key.
“You cannot make the mistake of leaving the key exposed,” Ben-Naim said.
Based in Petah Tikva, CyberArk says the data breach underscores the need for more companies to use secrets-management solutions such as Conjur, which the company acquired in May 2011 for $42 million.
Israel has stood at the forefront of the global cybersecurity trade, partly because of the security challenges it faces. Much of its workforce gains experience in army intelligence or Unit 8200, where soldiers cyber-attack different nation-states. In other countries, software developers are conducting penetration testing, or “practice.” This has led to the success of multi-billion-dollar entities such as Check Point.
With future advances in machine learning and artificial intelligence, it is possible that computers themselves could write code, avoiding these types of developer mistakes and detecting errors through pattern recognition.
Until then, CyberArk’s Ben-Naim wants companies to know that “going into the cloud [server] itself, it’s not adding strength to your security.