Uber got breached, again

And this time it's a total clusterfuck.

It was some years without a Uber data breach. It's today's news that, allegedly, an 18-years old social-engineered an Uber employee into giving them access to the Uber VPN, and from there, they could move laterally into the main Uber network.

Uber's "uber hack".

From the news, it appears that the hacker got access to almost all of the Uber's most sensitive systems, with admin privileges. From Uber's main AWS account, to the Gsuite account, to Uber's IDS systems. There seems to be huge threads on Twitter with screenshots posted by the hacker about the level of the compromise, and what everybody could see is staggering, given it was shown that the attacker gained access to at least 1PB (yes, 1 PetaByte) of data from the company's systems.

I don't know exactly how Uber is going to recover from this situation, but luckily for them, the hacker doesn't seems to be a bad actor, in the sense that, maybe, no customer informations were stolen. However, a compromise at a so deep level, puts the whole organization in the position to trust nothing they run anymore. Anything could have been compromised, to keep future accesses to the infrastructure available, even to other, malicious actors. At this point in time, Uber seems to be working with authorities to try and contain the problem, but I believe they will be lucky if the attacker decides to not do any serious damage.

As usual, all around the internet, the IT people are bragging that Uber should have used FIDO2 hardware tokens, that they should never, ever, let a powershell script, in a share drive, with privileged credentials, and of course that Uber should have implemented "zero trust".

The only thing missing was the usual "Rust would have saved the company" (I decided to get rid of Hacker News today because of this, I'm tired of the bullshit). But is it strictly a technical problem? Are we sure that we should only focus on the technical side of things? Shouldn't we start to consider some accountability as part of a breach like this?

IMHO, who says that using a FIDO2 enable hardware token as a 2FA mechanism would have prevented this breach, is probably right. But I believe that when the majority of high profile targets will switch to FIDO2 as an authentication mechanism, the attackers will adapt and they will find new and innovative ways to social engineer their targets in giving them access. This means that from a strictly technical point of view, companies not only must give their employees better 2FA authentication mechanisms but, contrary to a lot of popular beliefs that defense-in-depth architectures are bad and that you need "zero trust", companies will need even more defense-in-depth segmentation. No, your bastion hosts aren't going away.

What is taught as "zero-trust architecture", where every single request is checked and validated against an SSO mechanism, with the request being verified if the specific client or whatever, is legitimate, sounds good. But there is a problem: you are relying on a piece of code to do the complete verification work, and supply-chain attacks are a thing:

Solarwinds anyone?

This means that your fancy SSO verification system could get hacked through such an attack, like solarwinds experienced almost two years ago. This should have taught us that no matter what, automatic systems are going to be broken and betting an organization's security totally on such tools, isn't a great idea.

Zero trust is going to work well, only combined with proper network and resources segmentation (no, you are not going to have access to core infrastructure with a powershell script and a hard-coded password), a proper 2FA authentication mechanism like FIDO2 and also, last but not least, by keeping the humans in the loop. Requesting access to resources, shouldn't be approved by a system, but by your superiors on a as-needed basis and here is the answer to the last question I made previously:

The last missing piece to have proper IT security, is the accountability of the CSO and all the command chain with the responsibility of setting policies and approving accesses. That's the only way to keep the "security professionals" honest and not falling to the business stress and pressure. If they are directly accountable, they have a strong reason to rebuff the business people and do the right thing: literally the law.

Banks and financial institutions are already bound to such regulations, with a high risk of paying hefty fines. Why is it that companies like Uber, Cloudflare, Google, are treated differently when they move billions every year? I believe that this is what's really missing for security to be taken seriously at all the big tech companies, there is literally no reason to not bind those monsters to laws demanding them to better protect users data. Unfortunately, until then, there will always be a sloppy, or pressured, sysadmin, writing passwords inside a script.

And the hacking cycle will start again.